Have you created a ShazzleMail account on your smartphone? This is a required first step.

Yes No

Free Encrypted Email

ph

HACK BRIEF: ONEPLUS PHONES HAVE AN UNFORTUNATE BACKDOOR BUILT IN

November 16, 2017

ONEPLUS SMARTPHONES HAVE developed a bit of a cult following, thanks to a combination of design and affordability that few other Android handsets match. But OnePlus has also experienced some notable privacy and security issues, including a recent admission that it was collecting a sketchy amount of user data on its corporate servers. Now, a French security researcher has published evidence that nearly every OnePlus phone model comes pre-loaded with a factory testing app that essentially acts as a backdoor, potentially granting hackers full access to your device. Whoops!

The Hack
It turns out that every OnePlus model, except the original OnePlus One, has an application called “Engineer Mode” buried in its operating system. The app appears to be a development and factory testing tool, and can be used for things like GPS checks and hardware scans. These types of tools are common, but are generally disabled or removed before devices ship to consumers; otherwise their power and operating system privilege could be abused. In this case, while Engineer Mode isn’t immediately accessible from the user interface, it doesn’t take that much software probing to access it, and from there some simple commands could give an attacker root access to almost any OnePlus. The tool is a customized version of a Qualcomm app that contains the backdoor, protected with a hard-coded password.

“It’s not good. In theory, this kind of app must be removed from the final release,” says Robert Baptiste, the firmware analysis researcher who discovered the flaw. “But [that] adds another operation in the factory, which costs time and is always complicated. So sometimes—often—companies decide to keep this app. Security by obscurity is a common practice.”

Unfortunately, OnePlus didn’t obscure its Engineer Mode quite enough.

Who’s Affected?
OnePlus has sold millions of smartphones, and most of them are currently threatened by Engineer Mode. One plus owners can go to Settings, then Show System apps to check whether Engineer Mode is installed, and then delete it.

The tool can give an attacker total power over a device, but it also has real limitations. Baptiste and others point out that attacks exploiting the app require physical access to a given unit. OnePlus noted the same in a statement Tuesday, saying that Engineer Mode won’t grant full root privileges to third-party apps, ruling out more virulent remote attacks.

“EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after-sales support,” OnePlus says. “Any sort of root access would still require physical access to your device. While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming [software update].”

How Serious Is This?
Researchers emphasize that while the Engineer Mode flaws aren’t an apocalyptic crisis, they still represent a major overlooked security lapse. And while OnePlus’s upcoming fix should reassure users, some believe the episode hints at a larger potential problem with the company’s security screening and device vetting processes.

“This isn’t really a horrible situation, it will be an easy fix,” says Tim Strazzere, a researcher with the mobile security group RedNaga. “This is, however, indicative of their security posture and quality control. Maybe they’re all patched up for generic issues, but for any device/manufacturer specific issues, they likely have more. So, personally, I’d be looking to see how they respond to this and what other issues are on this device. Where there is one, there are often many more.”

Given that OnePlus doesn’t “see this as a major security issue,” it’s an open question as to whether the company will learn from the mistake and take more extensive precautions in the future. OnePlus owners should check their devices for Engineer Mode and call on the company to prioritize avoiding this type of flaw. And other manufacturers should take note as well.

“They suck, this is sure,” Baptiste says of OnePlus’s security, “but we can find this kind of thing in every firmware.”

Introducing ShazzleMail Email and How it Works

Privacy is your Fundamental Human Right.

Our Daily Blog
4000
Facebook loses Belgian privacy case, faces a hefty fine
February 19, 2018

A Belgian court threatened Facebook with a fine of up to 100mil euros (RM480mil) if it continued to ...

Read more
featured image 3
Steve Hilton: Silicon Valley’s surveillance capitalism has resulted in Big Tech killing off human privacy
February 12, 2018

The case against Big Tech seems to be building by the week. And interestingly, some of the most powe...

Read more
City Lights series. Interplay of technological fractal textures on the subject of science, technology, design and imagination
Rand Paul voices support for memo, citing privacy rights
February 5, 2018

Sen. Rand Paul, a Republican from Kentucky who recently was attacked by a neighbor while working on ...

Read more
SAN FRANCISCO - OCTOBER 24:  Dustin Moskovitz, co-founder of Facebook, delivers his keynote address at the CTIA WIRELESS I.T. & Entertainment 2007 conference October 24, 2007 in San Francisco, California. The confernence is showcasing the lastest in mobile technology and will run through October 25.  (Photo by Kimberly White/Getty Images)
Google and Facebook are watching our every move online. It’s time to make them stop
January 31, 2018

Facebook CEO Mark Zuckerberg, left, and Google CEO Larry Page To make any real progress in advancin...

Read more
nintchdbpict0003786826291
Panicky Bitcoin investors struggle to withdraw cash from money exchanges as they look to ‘safe’ gold investments amid fears of cryptocurrency collapse
January 22, 2018

HERE are mounting fears that Bitcoin investors will struggle to get their cash out after the cryptoc...

Read more