A vulnerability has been discovered on the OnePlus 6 that allows attackers to bypass bootloader protection measures and boot a modified firmware image. The new vulnerability, which thankfully requires physical access to the device, could potentially help attackers to gain total control over a device. OnePlus has since assured the release of a software update to patch the loophole. Last year, OnePlus 3, OnePlus 3T, and OnePlus 5 were spotted with a diagnostic app that had offered a backdoor to gain root access without unlocking the bootloader. The company fixed that issue through an over-the-air (OTA) update, though it received huge criticism for silently bundling the EngineerMode app that is originally designed to help device manufacturers test hardware components.
As discovered by Edge Security President Jason Donenfeld, an attacker can boot any arbitrary modified firmware image to the OnePlus 6 without unlocking the bootloader. Just as in the case of the EngineerMode app, the attacker needs a tethered connection to a PC to pus the modified image, reports XDADevelopers. There is, however, no need to enable the USB Debugging mode to exploit the flaw. This means the attacker just needs to connect the OnePlus 6 to a PC in a default state to boot arbitrary images.
Folks at AndroidPolice have managed to verify the security loophole by easily passing a new boot image to the OnePlus 6 via fastboot protocol. It has also been found that unsupervised access to the phone for a few minutes can help grant root access to anyone.
OnePlus in a media statement acknowledged the issue and said: "We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly."
Interestingly, this isn't the first time when a OnePlus device is found to have a bootloader vulnerability. As we mentioned, the EngineerMode app that came preloaded on OnePlus 3, OnePlus 3T, and OnePlus 5 was spotted to offer root privileges to attackers without unlocking the bootloader. The app essentially offered an adb root function to provide root access once the USB debugging is enabled. "While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from the EngineerMode in an upcoming OTA," the company had said in a forum post while detailing the flaw and promising an OTA update that debuted eventually in January.
Late last month, OnePlus 6 was in the headlines for its Face Unlock feature reportedly being fooled by a photo. A user posted a video on Twitter that showed how the latest OnePlus flagship can apparently be fooled into getting unlocked with just an image showing the face registered on it. "We designed Face Unlock around convenience, and while we took corresponding measures to optimise its security we always recommended you use a password/PIN/fingerprint for security. For this reason, Face Unlock is not enabled for any secure apps such as banking or payments. We're constantly working to improve all of our technology, including Face Unlock," OnePlus had said while defending the Face Unlock feature that is not as secure as Apple's Face ID or Samsung's Intelligence Scan that uses dedicated hardware to enable facial recognition.