After a gray hat developer pull the entrails of a root vulnerability in OnePlus OxygenOS phones, OnePlus and Qualcomm are responding.
The big picture is that an OEM-side system app, EngineerMode, with base code from Qualcomm was left on the end user software of the OnePlus 5, OnePlus 3T, OnePlus 3, OnePlus One and, reportedly, the upcoming OnePlus 5T. Some ADB programming would allow for escalated privileges on the device. Furthermore, the app, while customizable by OEMs, seems to be similar enough to ones seen on ASUS and Xiaomi phones.
OnePlus is containing the damage by saying that the root method does not allow for third-party apps to increase their current privileges.
"Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on," a OnePlus team member wrote in the company's fan forum, "and any sort of root access would still require physical access to your device."
While the company doesn't see access to this engineering app as a security issue within itself, it will block off ADB access in an upcoming software update.
In the end, the hacker claims that it's Qualcomm's app in the first place that provides this gaping hole. But Alex Gantman of Qualcomm's security defense team claims that while the app does have some source code spread around in it, OnePlus has customized it to the point where the chipmaker has nothing to do with it.
Based on our investigation, this EngineerMode app was not authored by @Qualcomm. There may be bits of QC source code there, and we believe others built upon a past testing app used to display device info. This EngineerMode app no longer resembles the original code we provided.
Furthermore, the original hacker — going under the "Mr. Robot" themed psuedonym of Elliot Alderson — has since surfaced a second diagnostic application entirely of OnePlus's making that allows users to retrieve logs of the activities of Bluetooth, Wi-Fi, NFC, GPS and other antennas.
Active recording can be toggled on through a simple dialer code command.
How easy is it to trigger this?
- Tap *#800# in the dialer
- Click on "Get Wireless log"
- Done! You are in the OnePlusLogKit app.
You can also send the intent: adb shell am start -n com.oem.oemlogkit/.OneClickLogKitMainActivity
Any and all data, including pictures and videos, can be dumped into external storage (not a microSD card on the OnePlus 5 at least) and shuttled away.
OnePlus has yet to respond to this vulnerability.