The OnePlus devices with the latest version of the software available are vulnerable to attacks that can downgrade the phone’s operating system and expose the device to previously patched security flaws.
A security researcher, Roee Hay of Aleph Research, HCL Technologies, has discovered four trivial vulnerabilities that affect all OnePlus handsets (One/X/2/3/3T), running the latest versions of OxygenOS 4.1.3 and below, as well as HydrogenOS 3.0 and below. OxygenOS and HydrogenOS are custom versions of the Android OS running on OnePlus phones.
According to Hay, the vulnerabilities allow for a Man-in-the-Middle (MitM) attacker to intercept the OTA update request and replace it with an older version of the software, allowing for exploitation of now-patched vulnerabilities. This wouldn’t cause the phone to factory reset either, and it could then open your phone up to even more vulnerabilities since you would then be on older software.
Hay discovered the vulnerabilities and reported the problems to OnePlus in January this year, but the company failed to address any of the issues.
When OnePlus failed to patch these security issues after 90 days of responsible disclosure, and another 14 days of additional ultimatum, the researcher decided to publish the details of the vulnerabilities publicly, which are described below.
1. CVE-2016-10370: OnePlus OTA Updates Over HTTP
OnePlus pushes the signed-OTA over HTTP, thus it enables a trivial MiTM attack.
Hay and Sagi Kedmi, who also independently discovered it, claims that OnePlus is delivering signed-OTA updates over HTTP without TLS, allowing remote attackers to perform MitM attacks. That means, an attacker can launch an attack and hijack the OnePlus phone’s OTA update process, which is susceptible to man-in-the-middle (MitM) attacks because it’s handled via HTTP instead of HTTPS.
Since the OTA updates are signed with a digital signature, this bug alone is not sufficient to push malicious updates to the affected devices. But this weakness facilitates other three below-reported vulnerabilities, which could allow an attacker to defeat the digital signature mechanism as well.
2. CVE-2017-5948: OnePlus OTA Downgrade Attack
Allows a remote attacker to downgrade the operating system of a targeted OnePlus device, either running on OxygenOS or HydrogenOS, to an earlier version that may contain vulnerabilities disclosed previously.
Since all the OnePlus OTAs of different ROMs and products are signed by the same digital key, the device will accept and install any OTA image, even if the bootloader is locked.
Android devices mostly have a logical code that does not allow users to downgrade their OS, but OnePlus fails here as well. It does not check if the currently installed version of the OS is lower than or equal to the given OTA image.