OnePlus backdoor means hackers could take over your phone

From CNET: Hackers who get hold of some OnePlus phones can get virtually unlimited access to their files and software through use of a testing tool called EngineerMode the company evidently left on the devices.

Robert Baptiste, a freelance security researcher who goes by the name Elliot Alderson on Twitter after the "Mr. Robot" TV show character, found the tool on a OnePlus phone and tweeted his findings Monday. Researchers at security firm SecureNow helped figure out the tool's password, a step that means hackers can get unrestricted privileges on the phone as long as they have the device in their possession.

The EngineeerMode software functions as a backdoor, granting access to someone other than an authorized user. Escalating those privileges to full do-anything "root" access required a few lines of code, Baptiste said. "It's quite severe," Baptiste said via a Twitter direct message.

OnePlus disagreed, though it said it's decided to modify EngineerTool.

"EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support," the company said in a statement. Root access "is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device. While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb [Android Debug Bridge command-line tool] root function from EngineerMode in an upcoming OTA."

View: Article @ Source Site