Saturday, June 9, 2018

Bootloader Protection Bypass Discovered on OnePlus 6 (requires physical access)

The OnePlus 6 was made official in the middle of last month. The device has only recently started to make its way into the hands of consumers and developers on our forums, and already we're hearing about the work that's being done. An official build of TWRP is already available and work is progressing nicely on an unofficial LineageOS 15.1 GSI. The OnePlus 6 isn't only receiving attention from users interested in the device for their personal use or projects, however, as security researchers are starting to take a closer look at the device to see what they can find.

One such researcher, Jason Donenfeld, president of Edge Security LLC, also known on XDA as zx2c4, has discovered a vulnerability on the device that allows him to boot a modified image that bypasses bootloader protection measures (such as a locked bootloader). (Exploiting the vulnerability requires physical access to the device.)

This is a serious vulnerability as it allows an attacker with physical access to take control of the device. If the boot image is modified with insecure ADB and ADB as root by default, then an attacker with physical access will have total control over the device. Unlike the infamous "backdoor" (which wasn't really a backdoor) on the OnePlus 5T, exploiting this vulnerability does not require the user to have USB Debugging already enabled. That means that an attacker only needs to get their hands on the device—and nothing more—to gain full access to it if they exploit this vulnerability on the OnePlus 6.

The bug was reported to multiple engineers of OnePlus and Jason Donenfeld has confirmed that a member of the security team has acknowledged the report. We will be following up on this matter as more information becomes available. We hope a patch is released for the bootloader quickly so this issue can be resolved.

from xda-developers