Using a OnePlus? Be Aware of These Security Vulnerabilities
The OnePlus phone might be poised to become a major competitor in the smartphone industry, but only if it can address these major security flaws.
While OnePlus fans eagerly await the Chinese phone’s release, they might want to take a look at a few of the phone’s flaws as well. Recently, security experts have uncovered major vulnerabilities in the OnePlus One, X, 2, 3 and 3T that pose a major risk to OnePlus users. If you’re interested in buying a OnePlus, be sure to download DFNDR on your new phone and to run Full Virus Scans regularly to keep your device secure against hackers that are taking advantage of the recently discovered vulnerabilities. In the meantime, don’t neglect the security of your current smartphone. Click here to run a scan now:
OnePlus manufacturers are still sending smartphone users operating system updates and security patches over unencrypted channels. When these updates are sent through insecure channels, remote hackers are able to perform man-in-the-middle (MitM) attacks. This flaw alone is not enough to allow malicious updates to reach phones. However, when combined with other security loopholes, it allows cyber attacks to override the digital signature associated with legitimate updates.
OnePlus Downgrade Attacks
Unlike Android devices which contain code that prohibits smartphone users from downgrading their operating system, the OnePlus contains no such checks. Due to this oversight, hackers are able to remotely downgrade the phone’s operating system to an earlier version which contains vulnerabilities addressed by later OS upgrades.
OxygenOS and Hydrogen OS Attack
The firmware of OxygenOS and Hydrogen OS for the OnePlus both rely on the same over-the-air verification keys. Due to this oversight, remote hackers are able to replace any version of the Oxygen operating system with any version of the Hydrogen operating system, according to security experts Roee Hay and Sagi Kedmi, who uncovered the security loopholes.
OnePlus One and OnePlus X OTA
Similar to the two flaws above, this crossover attack targets only the OnePlus X and the OnePlus One. In the case of this particular flaw, an MitM attacker can go a step further and replace the Hydrogen or Oxygen OS designed specifically for the OnePlus X phone with the version intended for OnePlus One phones. This attack is made possible because both versions share the same over-the-air verification keys as well as the same ro.build.product system property. The seriousness of this particular vulnerability should not be taken lightly, as it may render the device unusable until the phone has gone through a factory reset.