We are reader supported. External links may earn us a commission.


Qualcomm and OnePlus respond to one root backdoor, hacker finds data dump function

By Jules Wang November 15, 2017, 8:33 pm

After a gray hat developer pull the entrails of a root vulnerability in OnePlus OxygenOS phones, OnePlus and Qualcomm are responding.

The big picture is that an OEM-side system app, EngineerMode, with base code from Qualcomm was left on the end user software of the OnePlus 5, OnePlus 3T, OnePlus 3, OnePlus One and, reportedly, the upcoming OnePlus 5T. Some ADB programming would allow for escalated privileges on the device. Furthermore, the app, while customizable by OEMs, seems to be similar enough to ones seen on ASUS and Xiaomi phones.

OnePlus is containing the damage by saying that the root method does not allow for third-party apps to increase their current privileges.

“Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on,” a OnePlus team member wrote in the company’s fan forum, “and any sort of root access would still require physical access to your device.”

While the company doesn’t see access to this engineering app as a security issue within itself, it will block off ADB access in an upcoming software update.

In the end, the hacker claims that it’s Qualcomm’s app in the first place that provides this gaping hole. But Alex Gantman of Qualcomm’s security defense team claims that while the app does have some source code spread around in it, OnePlus has customized it to the point where the chipmaker has nothing to do with it.

Furthermore, the original hacker — going under the “Mr. Robot” themed psuedonym of Elliot Alderson — has since surfaced a second diagnostic application entirely of OnePlus’s making that allows users to retrieve logs of the activities of Bluetooth, Wi-Fi, NFC, GPS and other antennas.

Active recording can be toggled on through a simple dialer code command.

Any and all data, including pictures and videos, can be dumped into external storage (not a microSD card on the OnePlus 5 at least) and shuttled away.

OnePlus has yet to respond to this vulnerability.


Latest Articles


Samsung Galaxy S21 FE vs Google Pixel 6

The Galaxy S21 FE went on sale in January 2022, a lot later than its expected 2021 release. So how does it compare to the Google Pixel 6, which is $100 cheaper and offers a very similar package? Read this article to find out.

By Aryan Suren January 23, 2022, 2:00 pm