One of the biggest concerns with buying from smaller brands that many often overlook is security. Earlier this year BLU was revealed to have some serious security concerns, and even OnePlus has had issues revealed. Now, another potential threat has arisen on OnePlus devices as an app on several of the company’s phones has been revealed to carry root access.
A developer recently discovered that an app installed on OnePlus devices (OnePlus 3, 3T, 5 according to Android Police) called “EngineerMode.” This app is used by OnePlus to ensure that a device is working properly before it leaves the factory. However, it also holds a backdoor which is capable of root access, even if the device has not been unlocked.
Root access was still hidden behind a password, but once that was cracked, that developer was able to obtain root access on the phone. That developer has plans to release an app which exploits this method as a way to give OnePlus users the easiest root method of all time, but don’t expect that to last long.
So yes, if you send the command: adb shell am start -n https://t.co/yYfeX14Ioj.engineeringmode/.qualcomm.DiagEnabled –es "code" "password" with the correct code you can become root!
— Baptiste Robert (@fs0c131y) November 13, 2017
Awesome! Thanks to @insitusec and the @NowSecureMobile team, we have the password! It's now possible to root an @Oneplus device with a simple intent pic.twitter.com/gN0awYijBv
— Baptiste Robert (@fs0c131y) November 13, 2017
The best thing in this story is the password. It's angela (see the reference?). This backdoor is here intentionally. When the fiction become a reality. Good luck @getpeid, you will need a very good explanation.
cc @whoismrrobot pic.twitter.com/IJgsu6hCEc— Baptiste Robert (@fs0c131y) November 14, 2017
This exploit is just that, an exploit in the phone’s security. While the risk is low since enabling root requires ADB, it still poses a threat to users. OnePlus has been alerted to the exploit and CEO Carl Pei has confirmed that the company is looking into it. Hopefully, that ends with an update that removes the app.
https://twitter.com/getpeid/status/930197107255992321
Check out 9to5Google on YouTube for more news:
FTC: We use income earning auto affiliate links. More.
Comments