Security researchers have discovered a hidden backdoor inadvertently left on many OnePlus smartphones that could be exploited by hackers to gain full access to users' devices. Robert Baptiste, a security researcher going by the name Elliot Alderson - an ode to the character in the popular Mr Robot TV series - discovered a factory-installed app on OnePlus devices that could be used by hackers to obtain root access to the phone, its files and software using just a few lines of code.
The researcher said he discovered the EngineerMode app when examining the latest firmware for the OnePlus 5 handset and said it could be exploited to allow root level control of devices running the firmware oneplus_5_oxygenos_4.5.14.
The app can diagnose GPS, check the root status and perform numerous automated tests and hardware scans among other functions. However, Baptiste found that by launching the "DiagEnabled" activity in the app with a specific password, the device could be rooted to give an attacker total control over it.
The EngineerMode tool, made by Qualcomm, comes pre-installed on most OnePlus devices including OnePlus 2, 3, 3T and the newly launched OnePlus 5.
Although the tool is password-protected, researchers at security firm NowSecure have already managed to crack the password.
"With the password, the EngineerMode app enables a debugging mode that is generally only needed for development of the device and grants full root privileges on the device via a simple ADB command or potentially by installing an APK from the Play Store," the NowSecure Mobile Threat Research Team wrote in a blog post.
Upon entering the password "angela" - likely another Mr Robot reference to the character Angela Moss - the developer gains permanent root access to the Android Debug Bridge process and, essentially, root privileges on the affected OnePlus device.
However, hackers would need to have physical access to the phone to carry out the exploit.
"At this time, the (app) is most useful to an attacker with physical access to a OnePlus device or an owner looking to root their own device," NowSecure said. "What seems especially careless is OnePlus leaving behind a system-signed .apk and a native library with a SHA256 hash of the password that was easily reversed."
To find out if your OnePlus device has EngineerMode installed, head over to the device's "Settings" > "Apps" > "Menu" > "Show System Apps." You can then search for EngineerMode in the app list to check if it is installed.
OnePlus later said the EngineerMode is a "diagnostic tool used mainly used for factory production line functionality testing and after sales support".
"We've seen several statements by community developers that are worried because this apk grants root privileges," the Chinese smartphone maker said in a statement. "While it can enable adb [Android Debug Bridge] root which provides privileges for adb commands, it will not let 3rd party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device."
"While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA."
The news come just a month after OnePlus was discovered collecting its users' sensitive, personally identifiable information. It later scaled back its data collection programme. It also comes as its new OnePlus 5T is launched.