OnePlus plans to fix glaring smartphone security flaw allowing easy root access

OnePlus plans to fix glaring smartphone security flaw allowing easy root access

While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA. However, it also holds a backdoor which is capable of root access, even if the device has not been unlocked. While the root backdoor hasn't been verified in other devices yet, reports from Twitter indicate the APK was also found in Asus and Xiaomi devices.

The app and the subsequent backdoor access was discovered by Twitter user Elliott Alderson (a reference to the Mr. Robot character), who then went into a lot of detail about how to gain root access to the device.

According to one developer named as Elliot Alderson, OnePlus has an application called as "EngineerMode", which is basically used to check whether the unit is working properly or not in the factory. The developer further added that he will publish an application for rooting OnePlus devices without unlocking. The application is present in all OnePlus devices including 3, 3T and 5.

Entering the password into the EngineerMode app provides permanent root access to the Android Debug Bridge process. However, carrying out such an attack would require physical access to the device-the hacker would need to have the smartphone in hand to hijack Engineer Mode and start doing damage. Later, Pei confirmed in a blog post that OnePlus it will scale back on data collection on its devices.

More news: Federal Bureau of Investigation data shows 18 hate crimes logged in South Dakota in 2016

While the vulnerability allows attackers to use the EngineerMode app to fully compromise devices, a mitigating factor is that local access to devices is needed - no remote exploit is available.

An apparent factory cockup has left many OnePlus Android smartphones with an exposed diagnostics tool that can be exploited to root the handsets.

The discoverer of the app had a problem.

Related Articles

  • Apple FaceID Tricked With $150 Mask

    Apple FaceID Tricked With $150 Mask

    A stylus called the "Apple Pencil" was also reported to be in progress and is expected to launch along with the new tablet. Cybersecurity experts said the issue was not so much whether Face ID could be hacked, but how much effort a hack required.
    U.S.  state launches probe of Google´s business practices

    U.S. state launches probe of Google´s business practices

    The Missouri attorney general's office is investigating whether Google has run afoul of consumer protection or antitrust laws in the state.
    Sweden and Italy gear up for World Cup playoff clash

    Sweden and Italy gear up for World Cup playoff clash

    He added: "We want to send Italians a message not with words, but with action on the pitch". It was the third-longest active streak behind Brazil (20) and Germany (16).
  • WE BLOODY DID IT: Australia Says 'YES' To Marriage Equality

    WE BLOODY DID IT: Australia Says 'YES' To Marriage Equality

    But it was not made clear what law would be changed and no one knew what legislation they were casting their opinions on. This would lead to a parliamentary debate and a vote to determine the legalisation of same-sex marriage.
    Mass stabbing at Mall of America in Minnesota

    Mass stabbing at Mall of America in Minnesota

    Family members were apparently able to disarm the suspect and Bloomington police took the suspect into custody. Both of the stabbing victims, according to CBS News , suffered non-life-threatening injuries.
    $130 billion isn't enough for Broadcom to take over Qualcomm

    $130 billion isn't enough for Broadcom to take over Qualcomm

    But Qualcomm's beaten down stock price showed far less optimism among investors that a deal could be consummated quickly. Our scenario analysis examines Qualcomm earnings in various iPhone royalty scenarios with and without Huawei royalties.
  • Gunman picking random targets kills 4 in Northern California

    Gunman picking random targets kills 4 in Northern California

    He declined to release the name of the shooter but said he was "aware" of a domestic violence incident that neighbors reported. The FBI confirmed to CBS News they are sending agents from Sacramento , Redding, and Chico to assist with the investigation.
    Trump Announces Next HHS Nominee, Dems Scrutinize His Former Employment

    Trump Announces Next HHS Nominee, Dems Scrutinize His Former Employment

    President Trump nominated a pharmaceutical executive to be the next secretary of the Health and Human Services Department. He left Lilly in January 2017 and now consults and counsels with pharmaceutical and health insurance companies.
    GOP Senators Urge Moore to Quit Race If Report Is True

    GOP Senators Urge Moore to Quit Race If Report Is True

    Moore previously created controversy when he refused to order a Ten Commandments display to be taken down from a public building. He touched her over her bra and underpants, she says, and guided her hand to touch him over his underwear.
  • Trump Asked Xi's Help in Case of Detained US Basketball Players

    Trump Asked Xi's Help in Case of Detained US Basketball Players

    ESPN reported that authorities have surveillance footage of the players stealing from three stores. The trio must stay at their hotel in Hangzhou until legal process is complete.
    Chevrolet Corvette ZR1 Unleashed

    Chevrolet Corvette ZR1 Unleashed

    The 2019 Chevrolet Corvette ZR1 isn't just the most powerful Corvette yet, but the most powerful General Motors vehicle ever made. The engine sits underneath what Chevrolet calls a "halo hood" which features a carbon fibre two-piece bonnet bulge.
    These are all the feuds Taylor Swift references on 'Reputation'

    These are all the feuds Taylor Swift references on 'Reputation'

    Cover art for Taylor Swift's upcoming album, " Reputation ", expected November 10. The song is sung in autotune, one of Kanye's favorite musical styles.