OnePlus backdoor means hackers could take over your phone
Hackers who get hold of some OnePlus phones can get virtually unlimited access to their files and software through use of a testing tool called EngineerMode the company evidently left on the devices.
Robert Baptiste, a freelance security researcher who goes by the name Elliot Alderson on Twitter after the "Mr. Robot" TV show character, found the tool on a OnePlus phone and tweeted his findings Monday. Researchers at security firm SecureNow helped figure out the tool's password, a step that means hackers can get unrestricted privileges on the phone as long as they have the device in their possession.
The EngineeerMode software functions as a backdoor, granting access to someone other than an authorized user. Escalating those privileges to full do-anything "root" access required a few lines of code, Baptiste said.
"It's quite severe," Baptiste said via a Twitter direct message.
OnePlus disagreed, though it said it's decided to modify EngineerTool.
"EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support," the company said in a statement. Root access "is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device. While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb [Android Debug Bridge command-line tool] root function from EngineerMode in an upcoming OTA."
SecureNow found the tool on the OnePlus 3 and OnePlus 5. Android Police reported it's also on the OnePlus 3T. And Baptiste said it's also on the new OnePlus 5T.
The EngineerMode tool is made by mobile chipmaker Qualcomm, Baptiste said. "We are looking into this now," Qualcomm said of the situation.
MTCHT
ICT
TECHNOLOGICAL INNOVATIONS
POST
ABOUT US
NEWS
INTERESTING
INTERVIEW
ANALYSIS
ONLAIN LESSONS
