Flagship smartphones always set a benchmark for other companies with their high-end features, top-of-the-line processor and enhanced camera quality. However, the one critical focus of every company for all its devices is the security of said devices. They want to ensure there are no vulnerabilities that would compromise the phone or the integrity of the information stored on said phones.
Apparently, not one, but four such vulnerability has been found on the popular Chinese smartphone brand OnePlus. A security researcher, Roee Hay of Aleph Research, HCL Technologies who discovered the vulnerabilities said that these vulnerabilities affect every OnePlus handset. The vulnerabilities were found to effect OnePlus One, OnePlus X, OnePlus 2, OnePlus 3 and 3T running the latest versions of OxygenOS 4.1.3 and below and as well HydrogenOS 3.0 and below for Chinese users.
According to him, one of the unpatched vulnerabilities allows for a MitM (Man-in-the-Middle) to intervene, enabling the attacker to downgrade the device’s operating system to an older version. It even allows the attacker to replace the OxygenOS with HydrogenOS (vice-versa), both without a factory reset, allowing for exploitation of other vulnerabilities which had been otherwise patched in the newer operating system.
Hay noted that he reported the issues to OnePlus Security on January 26 this year, however, OnePlus failed to meet the 90-day disclosure deadline. The company couldn’t release a patch for the issues even after 14-days deadline extension after which the researcher decided to reveal these vulnerabilities publicly. Roee Hay described the details of the vulnerabilities as follows.
OnePlus OTA Lack of TLS Vulnerability: CVE-2016-10370
Roee Hay and another researcher Sagi Kedmi, who independently discovered the vulneraries claimed OnePlus is delivering OS updates and security updates over an unencrypted channel. According to them, OnePlus has been delivering the signed OTA (over-the-air) updates over HTTP without TLS, thereby allowing remote attackers to perform MitM attacks.
OnePlus OTA Downgrade Vulnerability: CVE-2017-5948
According to the researcher, this bug enables a remote attacker to downgrade the operating system of a OnePlus device, running either on OxygenOS or HydrogenOS, to an earlier version that further allows exploitation of now-patched vulnerabilities. The researcher further explained that all the OnePlus OTAs of different ROMs and products are signed by the same digital key. While examining the OnePlus OTA, Roee said that in contrast to Google’s OTA, OnePlus does not verify the ‘timestamp’ of the installed images.
Same product ROM Crossover(CVE-2017-8850) & Different product ROM Crossover(CVE-2017-8851)
The same product ROM crossover allows a remote MitM attacker or a physical attacker to replace any version of OxygenOS(global) on a OnePlus device with any version of HydrogenOS(China), even on devices with a locked bootloader. Hay said that the attack is possible given the fact that both ROMs use the same OTA verification keys.
Unlike the above-mentioned vulnerabilities that affect all the OnePlus devices, the different product ROM crossover affects only the OnePlus X and OnePlus One with the same flaw where a remote attacker can replace the OxygenOS/HydrogenOS built for OnePlus X with the OnePlus One OxygenOS/HydrogenOS, even on locked bootloaders. The researcher had published proof-of-concept (PoC) code for the above flaws on GitHub. Evidently, the vulnerabilities can be exploited when the attacker and the targeted devices are connected to the same wireless network.
Given how quickly OnePlus has been rolling out software updates for the OnePlus 3 and the OnePlus 3T, it is surprising that OnePlus has done nothing to patch these glaring vulnerabilities. We can only hope that now with these vulnerabilities out in the open, the company would be swift to address them.