A security researcher has discovered four vulnerabilities that affect all OnePlus handsets, including One, X, 2, 3 and 3T, running the latest versions of OxygenOS 4.1.3 (worldwide) and below, as well as HydrogenOS 3.0 and below (for Chinese users).
Damn, I am feeling bad, I myself use OnePlus.
One of the unpatched vulnerabilities allows Man-in-the-Middle (MitM) attack against OnePlus device users, allowing a remote attacker to downgrade the device’s operating system to an older version, which could then expand the attack surface for exploitation of previously disclosed now-patched vulnerabilities.
What’s even worse? The other two vulnerabilities also allow an MitM attacker to replace any version of OxygenOS with HydrogenOS (or vice versa), as well as to replace the operating system with a completely different malicious ROM loaded with spying apps.
However, when OnePlus failed to release patches for the issues even after 90 days of responsible disclosure, and 14 days of additional ultimatum, the researcher decided to go public with the details of the vulnerabilities, which are described below.
1 — OnePlus OTA Updates Over HTTP: CVE-2016-10370
It’s 2017, and you would be shocked to know that one of the popular device manufacturers is sending you OS updates and security patches over an unencrypted channel.
Roee Hay and Sagi Kedmi, who also independently discovered it, claims that OnePlus is delivering signed-OTA (over-the-air) updates over HTTP without TLS, allowing remote attackers to perform MitM attacks.
Since the OTA updates are signed with a digital signature, this bug alone is not sufficient to push malicious updates to the affected devices.
But this weakness facilitates other three below-reported vulnerabilities, which could allow an attacker to defeat the digital signature mechanism as well.
2 — OnePlus OTA Downgrade Attack: CVE-2017-5948
This flaw allows a remote attacker to downgrade the operating system of a targeted OnePlus device, either running on OxygenOS or HydrogenOS, to an earlier version that may contain vulnerabilities disclosed previously.
Since all the OnePlus OTAs of different ROMs and products are signed by the same digital key, the device will accept and install any OTA image, even if the bootloader is locked.
Android devices mostly have a logical code that does not allow users to downgrade their OS, but OnePlus fails here as well. It does not check if the currently installed version of the OS is lower than or equal to the given OTA image.
OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X and OnePlus One are affected by this vulnerability.
The researcher has also published proof-of-concept (PoC) code on GitHub.
3 — OxygenOS/HydrogenOS Crossover Attack: CVE-2017-8850
The second flaw listed above also allows a remote attacker to replace any version of OxygenOS on a targeted OnePlus device with any version of HydrogenOS, even on locked bootloaders.
This attack is possible because “the fact (that) both ROMs use the same OTA verification keys,”
The researcher has also published proof-of-concept (PoC) for this flaw on GitHub.
4 — OnePlus OTA One/X Crossover Attack: CVE-2017-8851
This flaw, which only affects OnePlus X and OnePlus One, is practically same as the above two, but in this case, a remote MiTM attacker can even replace the OS (Oxygen/Hydrogen) designed for OnePlus X with the OS (Oxygen/Hydrogen) designed for OnePlus One, even on locked bootloaders.
This is because both the devices “use the same OTA verification keys” and “share the same ro.build.product system property.”
“That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to the expansion of the attack surface,” Hay says. “Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed.”
You can check the proof-of-concept exploit for this vulnerability here.
All the above flaws exist only because OnePlus is not using secure communication for delivering OTA updates, and can be patched easily just by introducing HTTPS/TLS implementation.
Since the exploitation requires the attacker and the targeted device to be on the same network, users are advised to avoid connecting to untrusted or public Wi-Fi networks.