Expert discovered a backdoor in OnePlus devices that allows root access without unlocking the bootloader. Other problems for the owners of the OnePlus smartphone, this time experts discovered a backdoor that allows root access without unlocking the bootloader. Just over a month after OnePlus was caught collecting personally identifiable information on its users, the Chinese smartphone company has been found leaving a backdoor on almost all OnePlus handsets. The Twitter user, who goes by the handle of “Elliot Anderson @fs0c131y,” (the name of the Mr. Robot’s main character), discovered a backdoor in OnePlus devices running OxygenOS that could allow anyone to obtain root access to the handsets.

The escalatedUp method is calling Privilege.escalate(password) and if the result is true, it set the system property persist.sys.adbroot and oem.selinux.reload_policy to 1 pic.twitter.com/92LeBfDPAv — Elliot Alderson (@fs0c131y) November 13, 2017

Most of the OnePlus devices, including OnePlus 2, 3, 3T and brand-new OnePlus 5, comes with a pre-installed diagnostic testing application dubbed EngineerMode.”

The app was developed by Qualcomm to help device manufacturers to easily test all hardware components of the devices.

The app is visible in the list of applications installed on the OnePlus devices.

The pre-installed app is exploitable by attackers with a physical access to the device and allows to gain root access on the smartphone.

The @fs0c131y user decompiled the EngineerMod APK and shared it on GitHub, he discovered the ‘DiagEnabled’ activity that could be opened with hardcoded password “Angela” to gain full root access on the smartphone, without even unlocking the bootloader.

The DiagEnabled, which is a @Qualcomm made activity, is the best class in this EngineerMode APK. Check the methods in this activity: escalatedUp(boolean, string) sounds like a cool thing no ?? pic.twitter.com/iQFfam6eg6 — Elliot Alderson (@fs0c131y) November 13, 2017

The problem is severe and OnePlus users must be informed that it is anyway possible to gain a root access to the device using a simple command.

The hack could be exploited by an attacker to perform several malicious activities, including the installation of a spyware or a bootkit.

The workaround to protect vulnerable OnePlus smartphones consists of disabling the root on their phones using the following command on ADB shell:

"setprop persist.sys.adb.engineermode 0" and "setprop persist.sys.adbroot 0" or call code *#8011#

Elliot Alderson plans to release an application to root the OnePlus devices.

I will publish an application on the PlayStore to root your @OnePlus device in the next hours — Elliot Alderson (@fs0c131y) November 13, 2017

OnePlus company is currently analyzing the issue.

Stay tuned!

Pierluigi Paganini

(Security Affairs – OnePlus devices Android root, hacking)

Share this...

Linkedin Reddit Pinterest

Share On