A Backdoor in OnePlus devices allows root access without unlocking bootloader
15.11.2017 securityaffairs Mobil
Expert discovered a backdoor in OnePlus devices that allows root access without unlocking the bootloader.
Other problems for the owners of the OnePlus smartphone, this time experts discovered a backdoor that allows root access without unlocking the bootloader.
Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets.
The Twitter user, who goes by the handle of “Elliot Anderson @fs0c131y,” (the name of the Mr. Robot’s main character), discovered a backdoor in OnePlus devices running OxygenOS that could allow anyone to obtain root access to the handsets.
13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 8 others
In the onCreate method if the intent is not null the escalatedUp method is called with the parameter enable=true and password=getIntent().getStringExtra("code"). Do you see where I'm going? pic.twitter.com/oa1i1NdlpU
Elliot Alderson @fs0c131y
The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1 pic.twitter.com/92LeBfDPAv
6:39 PM - Nov 13, 2017
View image on Twitter
4 4 Replies 11 11 Retweets 35 35 likes
Most of the OnePlus devices, including OnePlus 2, 3, 3T and brand-new OnePlus 5, comes with a pre-installed diagnostic testing application dubbed EngineerMode.”
The app was developed by Qualcomm to help device manufacturers to easily test all hardware components of the devices.
The app is visible in the list of applications installed on the OnePlus devices.
The pre-installed app is exploitable by attackers with a physical access to the device and allows to gain root access on the smartphone.
The @fs0c131y user decompiled the EngineerMod APK and shared it on GitHub, he discovered the ‘DiagEnabled’ activity that could be opened with hardcoded password “Angela” to gain full root access on the smartphone, without even unlocking the bootloader.
13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 8 others
I will find time to make a POC.
But it's not the biggest issue with this app.
Elliot Alderson @fs0c131y
The DiagEnabled, which is a @Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no 😀? pic.twitter.com/iQFfam6eg6
6:34 PM - Nov 13, 2017
1 1 Reply 2 2 Retweets 34 34 likes
Twitter Ads info and privacy
The problem is severe and OnePlus users must be informed that it is anyway possible to gain a root access to the device using a simple command.
The hack could be exploited by an attacker to perform several malicious activities, including the installation of a spyware or a bootkit.
The workaround to protect vulnerable OnePlus smartphones consists of disabling the root on their phones using the following command on ADB shell:
"setprop persist.sys.adb.engineermode 0" and "setprop persist.sys.adbroot 0" or call code *#8011#
Elliot Alderson plans to release an application to root the OnePlus devices.
13 Nov
Elliot Alderson @fs0c131y
Replying to @fs0c131y and 18 others
Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It's now possible to root an @Oneplus device with a simple intent pic.twitter.com/gN0awYijBv
Elliot Alderson @fs0c131y
I will publish an application on the PlayStore to root your @OnePlus device in the next hours
10:57 PM - Nov 13, 2017
22 22 Replies 27 27 Retweets 154 154 likes
Twitter Ads info and privacy
OnePlus company is currently analyzing the issue.
Stay tuned!