Just a few short weeks after the launch of the OnePlus 6, a cyber-security researcher discovered a major vulnerability that he claims could allow the device to boot into any arbitrarily modified image bypassing all bootloader protection measures, even though the device comes with a locked bootloader like most other Android smartphones.
According to Jason Donenfeld, president of Edge Security LLC, the attacker won’t even need to enable USB debugging to hack into the device using this flaw, although, they would require physical access to the victim’s phone.
The #OnePlus6 allows booting arbitrary images with `fastboot boot image.img`, even when the bootloader is completely locked and in secure mode. pic.twitter.com/MaP0bgEXXd
— Edge Security (@EdgeSecurity) June 9, 2018
OnePlus has also acknowledged the issue, and has released a statement, saying that it will soon roll-out a security patch to mitigate the threat. According to the company, “We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly”.
It is interesting to note that this is not the first time that OnePlus devices have been plagued by security issues. Last year, it was the turn of the OnePlus 5T to come under the scanner after the discovery of the Engineering Mode app that reportedly could grant adb root privileges to anybody with access to the master password (which happened to be ‘angela’).
While this is, indeed, a serious lapse in security from OnePlus, the fact that exploiting the flaw requires physical access to the smartphone means that most users would have remained safe even if it was never discovered. However, with Android security continuing to remain a massive problem with the discovery of new issues seemingly every other day, it’s good to know that such issues are being caught by researchers before they can snowball into massive problems.