OnePlus phones sold with root exploit backdoor

By

Vendor left diagnostics app on devices.

Phone maker OnePlus is shipping devices with a diagnostics app that allows root superuser access to the smartphone, potentially exposing sensitive user data.

OnePlus phones sold with root exploit backdoor

The issue was first discovered by mobile security researcher Robert Baptiste, who has published details of the vulnerability.

Baptiste found that OnePlus was shipping devices with the Qualcomm EngineerMode app - which is used by device makers for testing and diagnostics - with its OxygenOS customised version of Google's Android operating system.

The code for the app is digitally signed and contains a password with weak encryption that is easily discernible, security vendor NowSecure found.

Entering the password into the EngineerMode app provides permanent root access to the Android Debug Bridge process. Through the ADB, it is possible to get full access to all parts of OnePlus devices.

OnePlus has acknowledged the issue, and company founder Carl Pei said it is being investigated. 

OxygenOS 4.5.1 on the OnePlus 3 and version 4.5.14 on the OnePlus 5 come with the EngineerMode app installed. NowSecure suggested deleting the app to remove the chances of it being misused.

While the vulnerability allows attackers to use the EngineerMode app to fully compromise devices, a mitigating factor is that local access to devices is needed - no remote exploit is available.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

NSW Police to embark on $126m IT overhaul

NSW Police to embark on $126m IT overhaul

CBA looks to GenAI to assist 1200 'security champions'

CBA looks to GenAI to assist 1200 'security champions'

Australia's super funds told to assess authentication controls

Australia's super funds told to assess authentication controls

WestJet probes cyber security incident

WestJet probes cyber security incident

Log In

  |  Forgot your password?