All Oneplus Devices Vulnerable To Remote Attacks Due To Four Unpatched Flaws

There is a bad tidings for all OnePlus lovers.

H5N1 safety researcher has discovered iv vulnerabilities that touching on all OnePlus handsets, including One, X, 2, 3 as well as 3T, running the latest versions of OxygenOS 4.1.3 (worldwide) as well as below, every bit good every bit HydrogenOS 3.0 as well as below (for Chinese users).

Damn, I am feeling bad, I myself purpose OnePlus.

One of the unpatched vulnerabilities allows Man-in-the-Middle (MitM) assault against OnePlus device users, allowing a remote assaulter to downgrade the device’s operating organization to an older version, which could as well as hence expand the assault surface for exploitation of previously disclosed now-patched vulnerabilities.

What's fifty-fifty worse? The other 2 vulnerabilities too allow an MitM assaulter to supervene upon whatever version of OxygenOS alongside HydrogenOS (or vice versa), every bit good every bit to supervene upon the operating organization alongside a completely unlike malicious ROM loaded alongside spying apps.

The vulnerabilities receive got been discovered past times Roee Hay of Aleph Research, HCL Technologies, who reported them to the fellowship inwards Jan this year.

However, when OnePlus failed to unloosen patches for the issues fifty-fifty later on ninety days of responsible disclosure, as well as xiv days of additional ultimatum, the researcher decided to become populace alongside the details of the vulnerabilities, which are described below.

1 — OnePlus OTA Updates Over HTTP: CVE-2016-10370

It's 2017, as well as yous would hold out shocked to know that i of the pop device manufacturers is sending yous OS updates as well as safety patches over an unencrypted channel.

Roee Hay as well as Sagi Kedmi, who too independently discovered it, claims that OnePlus is delivering signed-OTA (over-the-air) updates over HTTP without TLS, allowing remote attackers to perform MitM attacks.

Since the OTA updates are signed alongside a digital signature, this põrnikas lonely is non sufficient to force malicious updates to the affected devices.

But this weakness facilitates other 3 below-reported vulnerabilities, which could allow an assaulter to defeat the digital signature machinery every bit well.

2 — OnePlus OTA Downgrade Attack: CVE-2017-5948

This flaw allows a remote assaulter to downgrade the operating organization of a targeted OnePlus device, either running on OxygenOS or HydrogenOS, to an before version that may comprise vulnerabilities disclosed previously.

Since all the OnePlus OTAs of unlike ROMs as well as products are signed past times the same digital key, the device volition receive got as well as install whatever OTA image, fifty-fifty if the bootloader is locked.

Android devices to a greater extent than oftentimes than non receive got a logical code that does non allow users to downgrade their OS, but OnePlus fails hither every bit well. It does non banking concern jibe if the currently installed version of the OS is lower than or equal to the given OTA image.

OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X as well as OnePlus One are affected past times this vulnerability.

The researcher has too published proof-of-concept (PoC) code on GitHub.

3 — OxygenOS/HydrogenOS Crossover Attack: CVE-2017-8850

The minute flaw listed higher upwards too allows a remote assaulter to supervene upon whatever version of OxygenOS on a targeted OnePlus device alongside whatever version of HydrogenOS, fifty-fifty on locked bootloaders.

This assault is possible because “the fact (that) both ROMs purpose the same OTA verification keys,”

According to the researcher, OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X as well as OnePlus One are affected past times this vulnerability every bit well.

The researcher has too published proof-of-concept (PoC) for this flaw on GitHub.

4 — OnePlus OTA One/X Crossover Attack: CVE-2017-8851

This flaw, which exclusively affects OnePlus X as well as OnePlus One, is practically same every bit the higher upwards two, but inwards this case, a remote MiTM assaulter tin fifty-fifty supervene upon the OS (Oxygen/Hydrogen) designed for OnePlus X alongside the OS (Oxygen/Hydrogen) designed for OnePlus One, fifty-fifty on locked bootloaders.

This is because both the devices "use the same OTA verification keys" as well as "share the same ro.build.product organization property."

"That could theoretically allow for exploitation of vulnerabilities patched on i picture but non on the other, inwards add-on to the expansion of the assault surface," Hay says. "Moreover, the vulnerability may lawsuit inwards having the device unusable until a Factory Reset is performed."

You tin banking concern jibe the proof-of-concept exploit for this vulnerability here.

All the higher upwards flaws be exclusively because OnePlus is non using secure communication for delivering OTA updates, as well as tin hold out patched easily but past times introducing HTTPS/TLS implementation.

Since the exploitation requires the assaulter as well as the targeted device to hold out on the same network, users are advised to avoid connecting to untrusted or populace Wi-Fi networks.

Share This :