OnePlus phones include an easily exploitable backdoor

Laverne Mann
November 15, 2017

The problem is that once discovered and decompiled, the app has a feature that easily gives root access to the device even without unlocking the devices' bootloader.

OnePlus, an electronics manufacturer based in China, has reportedly been shipping its line of popular smartphones with a hidden backdoor that could allow a hacker to hijack the device relatively effortlessly.

He was able to find a system app named EngineerMode that is actually a Qualcomm factory app with the ability to toggle components such as the charging chip, GPS, NFC and others - as this app shouldn't be included in consumer-side ROMs, it's a target app that malicious actors will want to crack into.

The app, called EngineerMode, is not normally seen unless you ask to see the device's system apps.

In this app, the developer has found activity known as "DiagEnabled", if enabled with a specific password, grants the root access. This app is used by OnePlus to ensure that a device is working properly before it leaves the factory.

More news: Tensions rise in Zimbabwe as military in outskirts of capital
More news: LeBron James, Cleveland Cavaliers take NY subway ride following Monday shootaround
More news: Syrian drone intercepted after approaching Israeli airspace

On Tuesday, developer Elliot Alderson tweeted that OnePlus has left behind an app that can act as a backdoor to get root access to a device without unlocking it. With root access, an attacker could change just about anything about the device's software.

Still, the presence of the app brings into question OnePlus' security protocols.

While it appears OnePlus is responsible for leaving Engineer Mode on its devices, it is not directly responsible for the application itself or the backdoor it creates. The company recently admitted to collecting personal information of users without their permission. Hopefully, that ends with an update that removes the app. Later, Pei confirmed in a blog post that OnePlus it will scale back on data collection on its devices.

OnePlus did not immediately respond to a request for comment.

Other reports by MaliBehiribAe

Discuss This Article