• Home
  • Mobiles
  • Mobiles News
  • OnePlus 6 Bootloader Vulnerability Could Let Attackers Boot a Modified Image; OnePlus Promises a Fix

OnePlus 6 Bootloader Vulnerability Could Let Attackers Boot a Modified Image; OnePlus Promises a Fix

 
Share on Facebook Tweet Share Share Reddit Comment
OnePlus 6 Bootloader Vulnerability Could Let Attackers Boot a Modified Image; OnePlus Promises a Fix

Highlights

  • OnePlus 6 is found to have a bootloader vulnerability
  • It lets attackers boot a modified image without unlocking the bootloader
  • OnePlus has assured a software update to fix the issue

A vulnerability has been discovered on the OnePlus 6 that allows attackers to bypass bootloader protection measures and boot a modified firmware image. The new vulnerability, which thankfully requires physical access to the device, could potentially help attackers to gain total control over a device. OnePlus has since assured the release of a software update to patch the loophole. Last year, OnePlus 3, OnePlus 3T, and OnePlus 5 were spotted with a diagnostic app that had offered a backdoor to gain root access without unlocking the bootloader. The company fixed that issue through an over-the-air (OTA) update, though it received huge criticism for silently bundling the EngineerMode app that is originally designed to help device manufacturers test hardware components.

As discovered by Edge Security President Jason Donenfeld, an attacker can boot any arbitrary modified firmware image to the OnePlus 6 without unlocking the bootloader. Just as in the case of the EngineerMode app, the attacker needs a tethered connection to a PC to pus the modified image, reports XDADevelopers. There is, however, no need to enable the USB Debugging mode to exploit the flaw. This means the attacker just needs to connect the OnePlus 6 to a PC in a default state to boot arbitrary images.

Folks at AndroidPolice have managed to verify the security loophole by easily passing a new boot image to the OnePlus 6 via fastboot protocol. It has also been found that unsupervised access to the phone for a few minutes can help grant root access to anyone.

OnePlus in a media statement acknowledged the issue and said: "We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly."

 

Interestingly, this isn't the first time when a OnePlus device is found to have a bootloader vulnerability. As we mentioned, the EngineerMode app that came preloaded on OnePlus 3, OnePlus 3T, and OnePlus 5 was spotted to offer root privileges to attackers without unlocking the bootloader. The app essentially offered an adb root function to provide root access once the USB debugging is enabled. "While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from the EngineerMode in an upcoming OTA," the company had said in a forum post while detailing the flaw and promising an OTA update that debuted eventually in January.

Late last month, OnePlus 6 was in the headlines for its Face Unlock feature reportedly being fooled by a photo. A user posted a video on Twitter that showed how the latest OnePlus flagship can apparently be fooled into getting unlocked with just an image showing the face registered on it. "We designed Face Unlock around convenience, and while we took corresponding measures to optimise its security we always recommended you use a password/PIN/fingerprint for security. For this reason, Face Unlock is not enabled for any secure apps such as banking or payments. We're constantly working to improve all of our technology, including Face Unlock," OnePlus had said while defending the Face Unlock feature that is not as secure as Apple's Face ID or Samsung's Intelligence Scan that uses dedicated hardware to enable facial recognition.

 

Comments

For the latest tech news and reviews, follow Gadgets 360 on Twitter, Facebook, and subscribe to our YouTube channel.

  • Design
  • Display
  • Software
  • Performance
  • Battery Life
  • Camera
  • Value for Money
  • Good
  • Looks great
  • Excellent performance
  • Useful software customisations
  • Bad
  • Average camera quality
  • No wireless charging or weatherproofing
Display6.28-inch
Processor2.8GHz octa-core
Front Camera16-megapixel
Resolution1080x2280 pixels
RAM8GB
OSAndroid 8.1 Oreo
Storage128GB
Rear Camera16-megapixel
Battery Capacity3300mAh
Further reading: OnePlus
Foxconn Says Investigating Labour Conditions at China Factory Used for Amazon
Elon Musk Has Been Missing Deadlines Since He Was a Kid
 
 

Advertisement

 

Advertisement