SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
16 Nov 2017

OnePlus phones were shipped with a hidden backdoor

OnePlus, a major Chinese smartphone manufacturer, has gotten itself into a hell of a lot of security trouble lately, and now the situation is only getting worse.

Mobile security researcher Robert Baptiste, who goes by the pseudonym Elliot Alderson (a nod to the main character in the Mr. Robot series), discovered that OnePlus smartphones have been apparently shipping for years with a hidden backdoor. It makes it easy for a clever hacker with physical access to root a OnePlus phone with just a few lines of code.

Alderson found an application on OnePlus devices intended for factory testing, and discovered it could be used to obtain “root access” to the phone. Rooting an Android device allows a developer to essentially gain access to everything in the operating system, and permission to change anything about the device’s software. The application the researcher found is called “Engineer Mode.”

It’s meant to be used while the smartphone is still in the factory, to test whether it’s working properly. Engineer Mode was hidden behind a password, but Alderson along with researchers at app security firm NowSecure were able to quickly crack it. The password is “angela,” which could ironically be another Mr. Robot reference.

Alderson believes that the vulnerability can only be exploited with physical access, at least for now. He said in a tweet that it’s “too early to speak about a random app getting root access, but we are on the good tracks.” It looks like the application was left on a number of devices, but it’s not clear whether OnePlus did so intentionally, or whether it was an accident. Engineer Mode is on several different smartphones that OnePlus makes, including the OnePlus 3, OnePlus 3T, and the OnePlus 5, according to the blog Android Police.

Alderson told me in a Twitter DM that he has no doubt that Engineer Mode was left on OnePlus devices with the company’s knowledge. “This app is a Qualcomm app customized by OnePlus. This backdoor had been coded by Qualcomm.” The backdoor may not have been left maliciously however, Alderson explained. It could have been due to “laziness.”

Alderon told me he started investigating OnePlus devices last month when another major security problem was made public about the manufacturer’s phones. In October, a January report from security researcher Chris Moore was covered widely by the press. It showed that OnePlus was collecting sensitive information from its users and transmitting it to a server along with each device’s serial number. In response to these findings, OnePlus later scaled back its data collection program.

If you want to see if your device has Engineer Mode installed, you can go to Settings > Apps > Menu > Show System apps. There, you can search whether Engineer Mode is installed. If you discover that your device has it, you can delete it from your phone’s applications, according to Alderson.

It appears that OnePlus phones might not be the only devices to come pre-baked with Engineer Mode. Several users on Twitter have reported discovering the app in Lenovo and Motorola devices that use Qualcomm chips. Other manufacturers may be affected, according to Alderson, because Engineer Mode is an app designed by the manufacturer Qualcomm.

“After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided," a spokesperson from the company said in an emailed statement.

OnePlus also did not immediately return a request for comment, but the company’s CEO, Carl Pei, said on Twitter that the issue was being examined. The discovery of this hidden backdoor couldn’t come at a worse time: OnePlus’ latest smartphone, the OnePlus 5T comes out this week.


Download SafeUM — communicate privately, without advertising and spam.

Tags:
surveillance OnePlus
Source:
Motherboard
1426
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015