Skip to main content

Even with a locked bootloader, anyone w/ physical access can boot a modified image on the OnePlus 6

For obvious security reasons, Android requires users to take a number of steps before it should be possible to unlock a smartphone’s bootloader and boot a modified firmware image. But with the OnePlus 6, these security measures appear to be ineffective as anyone with physical access to the device can jump right past its locked bootloader.

As discovered by Jason Donenfeld (zx2c4 on XDA-Developers), president of Edge Security LLC, you can boot any type of modified image you like to the OnePlus 6 even when the bootloader is locked. Even crazier, as you can see from the video below, USB debugging doesn’t need to be turned on. All someone needs to do is plug the phone into their computer, restart the device into Fastboot mode, and transfer over the modified boot image.

The security vulnerability was verified by AndroidPolice who were able to boot TWRP on their bootloader-locked OnePlus 6 without issue. As they point out, this would be a quick and easy way for someone to grant themselves root access and allow them to do whatever they like.

All of this comes on the heels of users discovering the fact that the OnePlus 6’s face unlock feature could be tricked by a printed out picture. Of course, these two things are in completely different realms as OnePlus warns users that face unlock is less secure than other security measures while the ability to bypass a locked bootloader is a system-level vulnerability.

OnePlus has yet to release a statement about this problem or when a fix will become available. In the meantime, you don’t need to worry too much about someone getting into your OnePlus 6 as they would need physical access to your device.

Update: OnePlus has released the following statement, promising a quick fix:

We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly.


Check out 9to5Google on YouTube for more news:

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

Author

Avatar for Justin Duino Justin Duino

I’m a writer for 9to5Google with a background in IT and Android development. Follow me on Twitter to read my ramblings about tech and email me at justin@jaduino.com. Tips are always welcome.


Manage push notifications

notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications
notification icon
We would like to show you notifications for the latest news and updates.
notification icon
You are subscribed to notifications