It was just recently that OnePlus came under the scanner for collecting specific usage information without users’ knowledge. While the issue has been resolved with the company apologizing and ensuring users are prompted with an option to opt out of this process, a new vulnerability has now been discovered which could provide malicious users backdoor access to the device.
Twitter user who goes by the name Elliot Anderson discovered that the company accidentally left in place a diagnostic testing application made by Qualcomm that can be potentially exploited to grant root access, thereby acting as a backdoor.
Called ‘EngineerMode’, it is a system application made by Qualcomm and provided to OEMs like OnePlus in order to allow them easy testing of all hardware components of the device. The app is pre-installed on all OnePlus 3, OnePlus 3T, and OnePlus 5 devices and can be easily accessed through any activity launcher, XDA Developers reports.
While the existence of the app was detected months ago, it was only when Anderson decompiled the app, that it was discovered its potential to act as a backdoor. During the process, an activity called DiagEnabled was detected and within that the activity called escalatedUp was traced. This method accepts the boolean value (true/false) and a string. The string is a password that is checked by the method before it sets the system properties persist.sys.adbroot and oem.selinux.reload_policy to 1. ALSO READ: OnePlus 5T video reveals edge-to-edge display, iPhone X-like Face ID feature
This allows a user to run ADB as root which in turn opens up the possibility of acquiring full root access on the phone, without even having to unlocking the bootloader. To bring the policy to root privileges, a password is required. Now, finding this password is not easy. Anderson decompiled the library responsible for generating the password and found where the password hash was located: /data/backup/fpwd. The password is generated from various build properties such as ro.product.model and ro.product.brand and would not be easy to reverse engineer.
By sending an intent in the format of – adb shell am start -n com.android.engineeringmode/.qualcomm.DiagEnabled –es “code” “angela” where com.android.engineermode/.qualcommDiagEnabled is the component name of the DiagEnabled Activity we are exploiting, and “code” is the string name and “password” is the relevant password value. The password has now been discovered to be ‘angela’. So, by entering the command and the password, you will get into a rooted shell.
For those of you who are into rooting their devices would acknowledge the vulnerability poses risk to OnePlus devices. It is expected that the company takes note of the loophole and rolls out a patch soon. ALSO READ: OnePlus will choose 10 users to review the OnePlus 5T