Update: OnePlus has reached out to inform us that this vulnerability requires physical access to the device and a tethered PC connection to access the bootloader and root the device without unlocking it. OnePlus’ statement on the matter is below:
“We take security seriously at OnePlus . We are in contact with the security researcher, and a software update will be rolling out shortly.”
OnePlus is working as quickly as possible to get a fix implemented following confirmation of reports that its OnePlus 6 flagship suffers a bootloader security problem. More directly, the company released its statement today, acknowledging that the OnePlus 6 bootloader which gives root access to the handset could easily be bypassed without ever being unlocked. However, the company says it is working closely with the security researcher, Edge Security LLC’s Jason Donenfeld, to rectify that. There’s been no official timeframe announced, as of this writing, with regard to how long that might take but the company has historically been very good about putting out updates. So it shouldn’t take too long at all for OnePlus to get a fix in place and rolled out.
In the meantime, this security vulnerability is a relatively mild one compared to some problems faced by various OEMs, devices, and the OS over the past year. In fact, it requires physical access to a device in order to take advantage of. That doesn’t mean that it isn’t a serious concern but it goes without saying that the problem could be worse. Given physical access to a device, the bug makes it possible for an attacker to modify the OnePlus device with a boot image that’s modified with insecure ADB and ADB as root by default. That’s also completely possible without having USB debugging enabled and, worse still, with the bootloader still locked down. In short, it allows a malicious entity with physical access to completely bypass security measures with a relatively arbitrary change to the system image. The ease with which that type of change can be accomplished is the primary concern since it means that very little effort is needed to gain complete control over the flagship.
All things considered, this lapse in security could have been much worse. If the issue had been accessible without direct physical access to individual handsets, it would have left the OnePlus 6 wide open to massively scaled attacks. Since it requires very few changes to the OS itself, any such attacks could have been done in a way that would have gone mostly unnoticed. For now, users just need to wait for a fix to roll out and should probably take extra steps to ensure that nobody has access to their device for extended periods of time.