fbpx
News

OnePlus 6 vulnerability could let someone install malicious software

The vulnerability allows attackers to push malicious software to your phone

The new OnePlus 6 has a security vulnerability that could allow attackers to gain full control of the device.

According to XDA Developersthe vulnerability is in the device’s bootloader. The bootloader is like a gate of sorts, locking down the phone’s system image. The phone loads the image — and any software in it — when it powers on.

The bootloader is a fairly basic part of phone security — most manufacturers ship phones with a locked bootloader to protect users. Users can unlock the bootloader, but doing so wipes the device to protect user data.

The vulnerability on the OnePlus 6 allows system images to be pushed to the phone without unlocking the bootloader. What this means is anyone can push a modified boot image to your device with the right tools. Modifications could include root access or an insecure ADB — a tool that allows a computer to communicate with your device.

Right now, an attacker with a computer, a USB cable and some time would be able to take advantage of the vulnerability. Granted, they would need physical and unsupervised access to your phone for a few minutes.

The attacker would have to boot the device into Fastboot mode and connect it to their computer. From there they can push a new system image to the device. The device will load the new system image when it reboots.

XDA user zx2c4, a security researcher named Jason Donenfeld, discovered the vulnerability. Donenfeld is the president of Edge Security, an information security research and consulting firm. He tweeted a video showing how the vulnerability can be exploited.

In a statement it provided XDA Developers, OnePlus said it has been in contact with Donenfeld and plans to roll out a software update to fix the vulnerability

“We take security seriously at OnePlus,” the statement said.

This isn’t the first time OnePlus has had a security mix-up. Earlier this year, the company had a data breach that exposed the credit card information of some 40,000 customers.

Additionally, some OnePlus devices had a hidden app that allowed root access. The app was a testing app used in production. However, attackers could potentially use the app to gain root access.

Source: XDA Developers via Android Police

MobileSyrup may earn a commission from purchases made via our links, which helps fund the journalism we provide free on our website. These links do not influence our editorial content. Support us here.

Related Articles

Comments