OnePlus smartphones have developed a bit of a cult following, thanks to a combination of design and affordability that few other Android handsets match. But OnePlus has also experienced some notable privacy and security issues, including a recent admission that it was collecting a sketchy amount of user data on its corporate servers. Now, a French security researcher has published evidence that nearly every OnePlus phone model comes pre-loaded with a factory testing app that essentially acts as a backdoor, potentially granting hackers full access to your device. Whoops!
It turns out that every OnePlus model, except the original OnePlus One, has an application called “Engineer Mode” buried in its operating system. The app appears to be a development and factory testing tool, and can be used for things like GPS checks and hardware scans. These types of tools are common, but are generally disabled or removed before devices ship to consumers; otherwise their power and operating system privilege could be abused. In this case, while Engineer Mode isn’t immediately accessible from the user interface, it doesn’t take that much software probing to access it, and from there some simple commands could give an attacker root access to almost any OnePlus. The tool is a customized version of a Qualcomm app that contains the backdoor, protected with a hard-coded password.
“It’s not good. In theory, this kind of app must be removed from the final release,” says Robert Baptiste, the firmware analysis researcher who discovered the flaw. “But [that] adds another operation in the factory, which costs time and is always complicated. So sometimes—often—companies decide to keep this app. Security by obscurity is a common practice.”
Unfortunately, OnePlus didn’t obscure its Engineer Mode quite enough.
OnePlus has sold millions of smartphones, and most of them are currently threatened by Engineer Mode. One plus owners can go to Settings, then Show System apps to check whether Engineer Mode is installed, and then delete it.
The tool can give an attacker total power over a device, but it also has real limitations. Baptiste and others point out that attacks exploiting the app require physical access to a given unit. OnePlus noted the same in a statement Tuesday, saying that Engineer Mode won’t grant full root privileges to third-party apps, ruling out more virulent remote attacks.
“EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after-sales support,” OnePlus says. “Any sort of root access would still require physical access to your device. While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming [software update].”
How Serious Is This?
Researchers emphasize that while the Engineer Mode flaws aren’t an apocalyptic crisis, they still represent a major overlooked security lapse. And while OnePlus’s upcoming fix should reassure users, some believe the episode hints at a larger potential problem with the company’s security screening and device vetting processes.
“This isn’t really a horrible situation, it will be an easy fix,” says Tim Strazzere, a researcher with the mobile security group RedNaga. “This is, however, indicative of their security posture and quality control. Maybe they’re all patched up for generic issues, but for any device/manufacturer specific issues, they likely have more. So, personally, I’d be looking to see how they respond to this and what other issues are on this device. Where there is one, there are often many more.”
Given that OnePlus doesn’t “see this as a major security issue,” it’s an open question as to whether the company will learn from the mistake and take more extensive precautions in the future. OnePlus owners should check their devices for Engineer Mode and call on the company to prioritize avoiding this type of flaw. And other manufacturers should take note as well.
“They suck, this is sure,” Baptiste says of OnePlus’s security, “but we can find this kind of thing in every firmware.”