OnePlus 6 Bootloader Vulnerability Could Let Attackers Boot a Modified Image; OnePlus Promises a Fix

Advertisement
By Jagmeet Singh | Updated: 11 June 2018 20:00 IST
Highlights
  • OnePlus 6 is found to have a bootloader vulnerability
  • It lets attackers boot a modified image without unlocking the bootloader
  • OnePlus has assured a software update to fix the issue

A vulnerability has been discovered on the OnePlus 6 that allows attackers to bypass bootloader protection measures and boot a modified firmware image. The new vulnerability, which thankfully requires physical access to the device, could potentially help attackers to gain total control over a device. OnePlus has since assured the release of a software update to patch the loophole. Last year, OnePlus 3, OnePlus 3T, and OnePlus 5 were spotted with a diagnostic app that had offered a backdoor to gain root access without unlocking the bootloader. The company fixed that issue through an over-the-air (OTA) update, though it received huge criticism for silently bundling the EngineerMode app that is originally designed to help device manufacturers test hardware components.

As discovered by Edge Security President Jason Donenfeld, an attacker can boot any arbitrary modified firmware image to the OnePlus 6 without unlocking the bootloader. Just as in the case of the EngineerMode app, the attacker needs a tethered connection to a PC to pus the modified image, reports XDADevelopers. There is, however, no need to enable the USB Debugging mode to exploit the flaw. This means the attacker just needs to connect the OnePlus 6 to a PC in a default state to boot arbitrary images.

Advertisement

Folks at AndroidPolice have managed to verify the security loophole by easily passing a new boot image to the OnePlus 6 via fastboot protocol. It has also been found that unsupervised access to the phone for a few minutes can help grant root access to anyone.

OnePlus in a media statement acknowledged the issue and said: "We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly."

Advertisement

 

Interestingly, this isn't the first time when a OnePlus device is found to have a bootloader vulnerability. As we mentioned, the EngineerMode app that came preloaded on OnePlus 3, OnePlus 3T, and OnePlus 5 was spotted to offer root privileges to attackers without unlocking the bootloader. The app essentially offered an adb root function to provide root access once the USB debugging is enabled. "While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from the EngineerMode in an upcoming OTA," the company had said in a forum post while detailing the flaw and promising an OTA update that debuted eventually in January.

Advertisement

Late last month, OnePlus 6 was in the headlines for its Face Unlock feature reportedly being fooled by a photo. A user posted a video on Twitter that showed how the latest OnePlus flagship can apparently be fooled into getting unlocked with just an image showing the face registered on it. "We designed Face Unlock around convenience, and while we took corresponding measures to optimise its security we always recommended you use a password/PIN/fingerprint for security. For this reason, Face Unlock is not enabled for any secure apps such as banking or payments. We're constantly working to improve all of our technology, including Face Unlock," OnePlus had said while defending the Face Unlock feature that is not as secure as Apple's Face ID or Samsung's Intelligence Scan that uses dedicated hardware to enable facial recognition.

 

 
REVIEW
  • Design
  • Display
  • Software
  • Performance
  • Battery Life
  • Camera
  • Value for Money
  • Good
  • Looks great
  • Excellent performance
  • Useful software customisations
  • Bad
  • Average camera quality
  • No wireless charging or weatherproofing
 
KEY SPECS
Display 6.28-inch
Processor Qualcomm Snapdragon 845
Front Camera 16-megapixel
Rear Camera 16-megapixel + 20-megapixel
RAM 8GB
Storage 128GB
Battery Capacity 3300mAh
OS Android 8.1 Oreo
Resolution 1080x2280 pixels
NEWS
VARIANTS

Get your daily dose of tech news, reviews, and insights, in under 80 characters on Gadgets 360 Turbo. Connect with fellow tech lovers on our Forum. Follow us on X, Facebook, WhatsApp, Threads and Google News for instant updates. Catch all the action on our YouTube channel.

Further reading: OnePlus
Advertisement

Related Stories

Popular Mobile Brands
  1. Top 10 Deals on Bluetooth and Party Speakers During Amazon's Prime Day Sale
  2. iQOO 16 May Skip India Launch Due to Rising Memory Costs, Tipster Claims
  3. Vivo G5i, Vivo G5z Launched With 7,200mAh Battery, Snapdragon 4 Gen 2 SoC
  4. Vivo Y500 4G Makes Global Debut With an 8,100mAh Battery: See Price
  1. iQOO 16 May Not Launch in India as Rising Component Prices Impact Plans; Only One Z-Series Phone Tipped
  2. Xbox Announces 3,200 Layoffs, Four Studio Divestments Through 2027; Plans Biggest Restructure in Its History
  3. Nothing Ear 3a Spotted in Leaked Renders That Leave Little to the Imagination Ahead of Their Debut
  4. Vivo G5i, Vivo G5z Launched With 7,200mAh Battery, Snapdragon 4 Gen 2 SoC: Price, Features
  5. Redmi Note 17 and Poco M8 Plus Appear on BIS Certification Database, Might Launch in India Soon: Report
  6. Stablecoin Transactions Hit Record $1.79 Trillion in June, Analytics Show
  7. South Africa Proposes Crypto Tax Guidance Under Existing Framework
  8. Insta360 X6 Could Launch Soon With Larger Sensor, US FCC Listing Suggests
  9. Vivo V80 Series Price Range in India, Launch Timeline Tipped Along With Key Specifications, Features
  10. Huawei Pura 90 Series Global Launch Set for July 14; Pura 90s Pro Max Teased
Download Our Apps
Available in Hindi
© Copyright Red Pixels Ventures Limited 2026. All rights reserved.