Qualcomm and OnePlus respond to one root backdoor, hacker finds data dump function

Advertisement

After a gray hat developer pull the entrails of a root vulnerability in OnePlus OxygenOS phones, OnePlus and Qualcomm are responding.

The big picture is that an OEM-side system app, EngineerMode, with base code from Qualcomm was left on the end user software of the OnePlus 5, OnePlus 3T, OnePlus 3, OnePlus One and, reportedly, the upcoming OnePlus 5T. Some ADB programming would allow for escalated privileges on the device. Furthermore, the app, while customizable by OEMs, seems to be similar enough to ones seen on ASUS and Xiaomi phones.

OnePlus is containing the damage by saying that the root method does not allow for third-party apps to increase their current privileges.

“Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on,” a OnePlus team member wrote in the company’s fan forum, “and any sort of root access would still require physical access to your device.”

While the company doesn’t see access to this engineering app as a security issue within itself, it will block off ADB access in an upcoming software update.

In the end, the hacker claims that it’s Qualcomm’s app in the first place that provides this gaping hole. But Alex Gantman of Qualcomm’s security defense team claims that while the app does have some source code spread around in it, OnePlus has customized it to the point where the chipmaker has nothing to do with it.

Furthermore, the original hacker — going under the “Mr. Robot” themed psuedonym of Elliot Alderson — has since surfaced a second diagnostic application entirely of OnePlus’s making that allows users to retrieve logs of the activities of Bluetooth, Wi-Fi, NFC, GPS and other antennas.

Active recording can be toggled on through a simple dialer code command.

Any and all data, including pictures and videos, can be dumped into external storage (not a microSD card on the OnePlus 5 at least) and shuttled away.

OnePlus has yet to respond to this vulnerability.

Share This Post
Advertisement
What's your reaction?
Love It
0%
Like It
0%
Want It
20%
Had It
20%
Hated It
60%
About The Author
Jules Wang
Jules Wang is News Editor for Pocketnow and one of the hosts of the Pocketnow Weekly Podcast. He came onto the team in 2014 as an intern editing and producing videos and the podcast while he was studying journalism at Emerson College. He graduated the year after and entered into his current position at Pocketnow, full-time.