OnePlus left a backdoor in Oxygen OS that hackers could exploit – report
Mere days ahead of the OnePlus 5T launch and OnePlus has been accused of inadvertent installing a backdoor into its phones which hackers could exploit to seize control of affected phones.
Cyber security enthusiast and likely Mr Robot fan, Twitter user ‘Elliot Alderson’ spotted the backdoor in OnePlus’ Oxygen OS, which according to XDA Developers, is a diagnostic testing tool supplied by Qualcomm which OnePlus appears to have accidentally left in place on its OnePlus 5, OnePlus 3 and OnePlus 3T handsets.
Dubbed ‘EngineerMode’ the tool has been designed as an easy way for phone makers to test the hardware on their devices. But Elliot Alderson found that the tool could be exploited by hackers to gain root access to a device, essentially gaining backdoor access into it where they could then take over the phone.
<Thread> Hey @OnePlus! I don’t think this EngineerMode APK must be in an user build…?♂️
This app is a system app made by @Qualcomm and customised by @OnePlus. It’s used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6— Elliot Alderson (@fs0c131y) November 13, 2017
The existence of the EngineerMode tool is nothing particularly new, but for a while people didn’t know what it could be used for. However, through decompiling the tool, it now appears to pose a security risk to affected OnePlus handsets.
The main risk is that affected phones can be rooted without needing access to a bootloader which is a security problem if a person’s OnePlus phone falls into nefarious hands.
OnePlus have yet to officially respond to the problem, and the company will no doubt be expected to push out a patch to plug the security hole. But it also serves as a warning to OnePlus to be particularly careful with the software it leaves on its future phones after they roll off the production line.
Related: Best Black Friday deals
Have you encountered any nasty hidden tools on your Android phone? If so, let us know on Twitter or Facebook.