Recently launched OnePlus 6 has a serious vulnerability in its bootloader that makes it possible for someone to boot modified images to take full admin control of user’s phone even if the bootloader is locked.
What is a bootloader? How is it vulnerable in One Plus 6?
A bootloader is a part of Android built-firmware and it is the first thing that runs when you boot up your Android device. Locking a bootloader prevents anyone from modifying the phone’s operating system.
Researchers have discovered that the bootloader on OnePlus 6 is not entirely locked thus allowing anyone to modify boot image without even having to turn on USB debugging, thus taking full control of your device.
The vulnerability, however, can be exploited only when someone has a physical access to your OnePlus 6. The vulnerability would require plugging the phone into a computer, restarting the phone into fastboot mode and then transfer any arbitrary or modified boot image.
OnePlus has acknowledged the vulnerability and promised to release a software update shortly.
OnePlus has offered a statement on the matter:
“We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly.” – OnePlus spokesperson.
Ankush Johar, Director at Infosec Ventures said: OnePlus 6 users should be extra cautious and make sure that their device is not in the wrong hands, especially until a patch is released. Moreover, users are strongly advised to update their software as soon as the patch is released because the absence of a bootloader lock, attackers might be able to modify the OS without actually needing to wipe the device storage further gaining complete root access to the device.