All OnePlus devices are vulnerable to attack, reveals security researcher
About all OnePlus devices have been identified to be vulnerable to downgrades attacks in a recent research conducted by security experts.
A security researcher, Roee Hay of Aleph Research, HCL Technologies has publicly disclosed the vulnerabilities discovered on almost every OnePlus flagship smartphone after months long wait for patches from the Chinese smartphone maker.
The flaws were first reported to OnePlus Securities by the researcher on January 26 this year. However, the firm failed to meet the 90-day disclosure deadline. When the firm didn’t release a patch for the mentioned issues for another 14 days, the researcher decided to go public with his findings.
Not only one, but four vulnerabilities have been discovered on the Chinese smartphone brand OnePlus; two of which CVE-2017-5948 and CVE-2017-8850 have been marked critical, while the other two CVE-2017-8851 and CVE-2016-10370 have their severity marked as high.
Models including OnePlus One, OnePlus 2, OnePlus 3 and OnePlus 3T and OnePlus X are stated to be prone to at least by one of the discovered vulnerabilities.
All the models aforementioned run on latest version of OxygenOS 4.1.3 and below and HydrogenOS 3.0 and below, two firmwares built by OnePlus itself.
In his research, Hay noted that the attack targets weakness of either of the operating systems based on how they accept an over-the-air (OTA) update.
According to Hay, the unpatched vulnerabilities allow a MitM (Man-in-the-Middle) attack, enabling the attackers to downgrade the operating system to an older version. Additionally, it also allows attackers to switch device’s OS between OxygenOS and HydrogenOS, giving attackers an opportunity to exploit other vulnerabilities which had been otherwise patched in the newer operating system.
Security researchers have claimed that OnePlus is rolling OS and security update over an unencrypted channel. According to them, OnePlus delivers OTA updates over HTTP (Hypertext Transfer Protocol) without TLS (Transport Layer Security), enabling many to perform MitM attack on the devices.
The second bug in the list allows attackers to downgrade the device’s operating system to an older version further allowing them to exploit now-patched vulnerabilities.
Same product ROM Crossover (CVE-2017-8850) and Different product ROM Crossover (CVE-2017-8851)
The fact both ROMs use the same OTA verification keys, attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders, which allows for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS.
Unlike the aforementioned vulnerabilities affect all OnePlus devices, the different product ROM crossover affects only the OnePlus One and OnePlus X with the same bug. The fact both products use the same OTA verification keys, and the fact both products share the same system property, attackers can install OTAs of one product over the other, even on locked bootloaders.
That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to expansion of the attack surface. Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed. This vulnerability can be exploited by Man-in-the-Middle (MiTM) attackers targeting the update process. This is possible because the update transaction does not occur over TLS.
In addition, physical attackers can reboot the phone into recovery, and then use to push the OTA.
