OnePlus 3/3T Vulnerability Allows Unauthorized Boot Mode Changing, Fixed in OOS 4.1

OnePlus 3/3T Vulnerability Allows Unauthorized Boot Mode Changing, Fixed in OOS 4.1

We may earn a commission for purchases made using our links.

Both the OnePlus 3 as well as the OnePlus 3T have had some interesting vulnerabilities since it was launched. We first learned about the ability to change SELinux to permissive mode back in JanuaryThen in February we learned that you could bypass the Allow OEM Unlocking setting to unlock the bootloader, and then another that allowed you to disable dm-verity with a simple fastboot command. Thankfully though, OnePlus has been relatively quick to acknowledge these issues, and that hasn’t changed with this new one either.

This recent vulnerability allows you to change the boot mode with another simple fastboot command, even when the bootloader is locked. This shouldn’t be allowed since a locked bootloader should prevent any security-sensitive operation from being executed. However, on the OnePlus 3 and the OnePlus 3T, it is possible to boot the device into fastboot mode and execute a command like fastboot oem boot_mode {rf/wlan/ftm/normal} when you’re not allowed to. Do keep in mind that this is mostly limited to physical attackers.

This vulnerability, which is present in OxygenOS 4.0.3 and below, could cause the bootloader to load the platform in an non-secure configuration. For example, adb access is now available (even when host-authorization has not been triggered, though userdata remains unmounted) together with SELinux being in permissive mode. With all of this set up, an attacker could change the USB configuration so that sensitive USB interfaces are now enabled (such as the modem’s diag and AT interfaces).

So as a result, this could let someone modify modem-related configurations and extract sensitive information. As mentioned, this is possible on both the OnePlus 3 as well as the OnePlus 3T, but only devices that are currently running OxygenOS 4.0.3 and below. It would also be pretty easy to spot something is wrong, given the splash screen while booting would change, alerting the user of changes. This has been patched in OxygenOS 4.1 by removing the fastboot oem boot_mode from its bootloader. OnePlus started rolling out this 4.1 OOS update 4 days ago, but has yet to publish the image files on their official downloads page. You can find the full ROM and OTA on this

Source: Aleph Research Advisory