New Security Research Reveals All OnePlus Devices are Vulnerable to Downgrade Attacks
Back on January 26, 2017, Aleph Research notified OnePlus about four different vulnerabilities that they felt needed to be patched. Two of these have been marked as critical (CVE-2017-5948 & CVE-2017-8850) while the other two had their severity marked as high (CVE-2017-8851 & CVE-2016-10370). The team reported these to OnePlus in a responsible manner and with that came a 90-day disclosure deadline. Aleph Research went as far as to even extend this by 14 days, but they are still left unpatched.
The vulnerabilities in question are possible on at least one of every smartphone OnePlus has produced. So, if you have the OnePlus One, OnePlus 2, OnePlus 3, OnePlus 3T or the OnePlus X, then your device is vulnerable to at least one of these attacks. This assumes you are running either OxygenOS or HydrogenOS though, which are the two firmwares that OnePlus is responsible for. The attack targets weaknesses in how the phones accept OTA updates.
This is possible via a man-in-the-middle attack, or simply when sideloading an OTA update via recovery. However, it should be noted that the OnePlus 3 and OnePlus 3T are not vulnerable to this sideload attack vector assuming Secure Start-up is enabled (Full Disk Encryption (FDE) with user credentials). These vulnerabilities enable the attacker to downgrade your version of OxygenOS or HydrogenOS. So no matter what new security patches your OnePlus device has, the software can be easily downgraded (without a factory reset) and then exploited via an old vulnerability.
There’s even the issue of the OnePlus X software actually being able to be installed on the OnePlus One in this way, and the OnePlus One software being installed on the OnePlus X. Both of these instances lead to a Denial of Service (DoS) and results in a bootloop until a factory reset is done. We hope that these issues disclosed by Aleph Research are promptly patched now that the research team has publicized their work.
Source: Aleph Research