Hackers can take control of certain OnePlus smartphones through a root backdoor that the company accidentally left on the devices.
The discovery comes just a few days after reports on the Eavesdropper vulnerability, an exploit that allows hackers to compromise almost 700 iOS and Android communication apps that was caused by careless developers.
OnePlus Backdoor: What Happened?
Robert Baptiste, a freelance security researcher who goes by his Twitter username of Elliot Alderson, inspired by the main character of the Mr. Robot series played by Rami Malek, discovered that OnePlus inadvertently left a Qualcomm diagnostic tool inside its smartphones. The tool can be used by hackers to gain root access, effectively turning it into a backdoor for the affected devices.
The application is called EngineerMode, and it was made by Qualcomm to provide manufacturers like OnePlus a tool to test all the components of their devices. Baptiste, however, claimed that the app could also provide root access to the devices through the right password.
The NowSecure research team has identified the password and verified that the tool can be used as a backdoor for hackers to gain access to OnePlus smartphones.
Unfortunately, reports are claiming that EngineerMode has also been discovered in Asus and Xiaomi devices. The reports, however, are so far unverified, with no official statement from these manufacturers.
What Can Owners Of Affected OnePlus Smartphones Do?
NowSecure found the accidental backdoor on the OnePlus 3 and OnePlus 5, Android Police discovered it in the OnePlus 3T and on the OxygenOS for the OnePlus One, and Baptiste added that it is also in the company's latest device, the OnePlus 5T.
OnePlus responded to the reports by saying that the problem is not as bad as people were saying. The company claimed that while EngineerMode can grant root privileges, it will not allow third-party apps to gain such access. In addition, gaining root access is only possible if users have activated USB debugging, and hackers will need to have physical access to the target device.
OnePlus, however, said that while it does not see the discovery as a major threat to security, it will address the concerns of users and fix the problem in an upcoming over-the-air update.
In the meantime, users who are worried that they would be victimized by the exploit can protect themselves by deactivating USB debugging on their OnePlus smartphone. They should also make sure that their device is with them at all times.