[Update: OnePlus promises a fix] OnePlus 6 bootloader vulnerability could allow anyone with physical access full control of your phone

Android Police

By Ryne Hager

Published Jun 9, 2018

Read update

OnePlus has provided us with the following statement, which implies this vulnerability should soon be fixed:

One of the most elementary aspects of phone security is the idea of a locked bootloader, which is supposed to prevent a handset from flashing or booting arbitrary code, ostensibly keeping the software on the device secure. It's super basic—or, at least, it's supposed to be. Turns out, the OnePlus 6 will allow you to boot any arbitrary or modified image you choose, even on a locked bootloader.

According to XDA Developers, the vulnerability was discovered by zx2c4, a security researcher named Jason Donenfeld and president of Edge Security. In our own testing, we were able to confirm that this vulnerability is present on the OnePlus 6, allowing anyone with access and the means to boot an arbitrary image on the device.

Booting TWRP on a bootloader-locked OnePlus 6 is this simple, apparently. And it would be just as simple to boot any other arbitrary image, whatever it may be.

At first, this might only seem like something the root/ROM community can get excited about, but considering a stock OnePlus 6 boot image could be modified to include things like root access and insecure ADB, it's a very serious problem. It could give an attacker full control of the device.

All someone would need to violate the security of a OnePlus 6 phone right now is an external computer, a cable, and enough time to restart the device into the bootloader/fastboot mode and boot a modified image. USB debugging doesn't even need to be enabled since this is all done with fastboot. Typically a locked bootloader would prevent this from being possible, but, for whatever reason, OnePlus seems to have slipped up on this.

To be clear, this vulnerability requires that an attacker have physical and unsupervised access to the phone for a few minutes, with a computer and cable on hand to pass a new boot image via fastboot. Any time you give up physical access like that, security is a valid concern, known exploit or not.

This isn't the first time OnePlus has been caught in this sort of thing. We've reached out to OnePlus about this vulnerability, and we'll update our coverage as the story develops.