[Update: Fix] Bootloader Protection Bypass Discovered on OnePlus 6 (requires physical access)

We may earn a commission for purchases made using our links.

Update 6/9/18 2:31PM CT: OnePlus has issued a statement regarding this topic.

Update 6/15/18 10:47AM: OnePlus has started to roll out OxygenOS 5.1.7 with a fix for the bootloader vulnerability.

The OnePlus 6 was made official in the middle of last month. The device has only recently started to make its way into the hands of consumers and developers on our forums, and already we’re hearing about the work that’s being done. An official build of TWRP is already available and work is progressing nicely on an unofficial LineageOS 15.1 GSI. The OnePlus 6 isn’t only receiving attention from users interested in the device for their personal use or projects, however, as security researchers are starting to take a closer look at the device to see what they can find.

One such researcher, Jason Donenfeld, president of Edge Security LLC, also known on XDA as zx2c4, has discovered a vulnerability on the device that allows him to boot any arbitrary modified image that bypasses bootloader protection measures (such as a locked bootloader). (Exploiting the vulnerability requires physical access to the device.)

The #OnePlus6 allows booting arbitrary images with `fastboot boot image.img`, even when the bootloader is completely locked and in secure mode. pic.twitter.com/MaP0bgEXXd — Edge Security (@EdgeSecurity) June 9, 2018

This vulnerability allows an attacker with physical access and a tethered connection to a PC to take control of the device. If the boot image is modified with insecure ADB and ADB as root by default, then an attacker with physical access will have total control over the device. Unlike the infamous “backdoor” (which wasn’t really a backdoor) on the OnePlus 5T, exploiting this vulnerability does not require the user to have USB Debugging already enabled. That means that an attacker only needs to get their hands on the device—and nothing more—to gain full access to it if they exploit this vulnerability on the OnePlus 6.

The bug was reported to multiple engineers of OnePlus and Jason Donenfeld has confirmed that a member of the security team has acknowledged the report. We will be following up on this matter as more information becomes available. We hope a patch is released for the bootloader quickly so this issue can be resolved.

Update 1: OnePlus Statement

OnePlus has offered a statement on the matter:

“We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly.” – OnePlus spokesperson

We will continue following this topic and will update you once a software update is available.

Update 2: Fix

OnePlus has started to roll out OxygenOS 5.1.7 for the OnePlus 6 on June 15th with a fix for the bootloader vulnerability.

This article was updated to reflect that an attacker needs physical access to the device as well as a tethered connection to a PC to exploit the vulnerability.