OnePlus is something of a darling among Android power users, shipping phones that can be bootloader unlocked without any special permissions or codes. But security researcher Roee Hay found that the OnePlus 3 (and the revised OnePlus 3T) are rather more open than was probably intended. With two native fastboot commands, Hay found he could install unverified boot images and disable the verified boot feature, all without actually unlocking the bootloader with the familiar user-accessible command. Which is, well, bad: it basically means anyone can run malicious code on the phone without resetting the user's data.

The first vulnerability affects OnePlus's custom Oxygen OS versions 3.2 through 4.0.1, with the second one affecting all versions of the software. OnePlus 3 owners will know that in fact the phone was recently upgraded to 4.0.2, including a patch for the kernel code vulnerability after it was disclosed to the OnePlus developers - if you haven't already upgraded to the Android 7.0-based build, you should do so immediately. The dm-verify vulnerability is proving a little harder to crack, but should be patched up soon.

If you're into this sort of thing, Hay has studiously documented his findings on his website, including a video demonstration. Other OnePlus phones don't seem to be affected, or at least the exploits haven't been demonstrated on them.

Source: securityresear.ch