OnePlus is no stranger to security and privacy issues surrounding its smartphones. It faced scrutiny recently when its smartphones were said to be relaying personal data to remote locations. However, the company now faces another security issue with the brand new OnePlus 6. As per XDA, the OnePlus 6 bootloader has a loophole that allows an attacker to boot any modified image thus rendering the bootloader useless.
— Edge Security (@EdgeSecurity) June 9, 2018
OnePlus 6 Security Issue Found
Basically, this allows an attacker to bypass the locked bootloader. This disastrous flaw, in theory, will grant the attacker complete control of the device. What’s worse is you don’t need to enable USB Debugging mode to do this. Thankfully this does require physical custody of the device as well as PC connectivity. So it’s not that easy. The vulnerability was found by Edge Security LLC’s president Jason Donenfeld who is also a recognised XDA developer. Folks at Android Police were also able to achieve root access by exploiting the same flaw.
As big a blunder as this is, OnePlus has acknowledged the issue and have issued a speedy statement as below.
“WE TAKE SECURITY SERIOUSLY AT ONEPLUS. WE ARE IN CONTACT WITH THE SECURITY RESEARCHER, AND A SOFTWARE UPDATE WILL BE ROLLING OUT SHORTLY.” – ONEPLUS SPOKESPERSON
In a similar story from the past year, the OnePlus 3T, and OnePlus 5 were found to have a diagnostics app that allowed root access without unlocking the bootloader. OnePlus resolved that issue via an OTA update but received slack from the global community.