Posted May 13, 2017 Source: https://www.xda-developers.com/new-security-research-reveals-all-oneplus-devices-are-vulnerable-to-downgrade-attacks/ https://www.androidheadlines.com/2017/05/4-unaddressed-security-flaws-in-oneplus-ota-process-revealed.html https://www.bleepingcomputer.com/news/security/oneplus-smartphones-vulnerable-to-os-downgrade-attacks/ Quote Four major vulnerabilities have been identified by Aleph Security in the OTA upgrade process of all OnePlus devices but the Chinese company has yet to address any of the issues. The group reported the vulnerabilities to OnePlus back in January but OnePlus hasn’t patched any of the reported vulnerabilities three and a half months later. The delay in releasing the much-needed fixes prompted Aleph Security to publicize its findings, the firm said. The cyber security research team highlighted the need to patch these security flaws as soon as possible since malicious individuals could hack the system update process and even exploit some of the previously patched vulnerabilities. Another security risk is the ability to install ROMs not officially released to the device even with a locked bootloader, which runs the risk of installing malicious ROMs filled with spying apps. (Android Headlines) Affected Devices: Quote The vulnerabilities in question are possible on at least one of every smartphone OnePlus has produced. So, if you have the OnePlus One, OnePlus 2, OnePlus 3, OnePlus 3T or the OnePlus X, then your device is vulnerable to at least one of these attacks. This assumes you are running either OxygenOS or HydrogenOS though, which are the two firmwares that OnePlus is responsible for. The attack targets weaknesses in how the phones accept OTA updates. How the vulnerability work Quote This is possible via a man-in-the-middle attack, or simply when sideloading an OTA update via recovery. However, it should be noted that the OnePlus 3 and OnePlus 3T are not vulnerable to this sideload attack vector assuming Secure Start-up is enabled (Full Disk Encryption (FDE) with user credentials). These vulnerabilities enable the attacker to downgrade your version of OxygenOS or HydrogenOS. So no matter what new security patches your OnePlus device has, the software can be easily downgraded (without a factory reset) and then exploited via an old vulnerability. So i would suggest not connecting to any public WiFi without a VPN .... or just don't OTA updates without check the file or manually update from oneplus websites and SHA/MD5 sumcheck. This doesn't really affect me or some users which is running custom roms. It really worrying that one plus haven't address this issue.... There are a lot of video that show you how to make your own VPN by turning a old pc/raspberry pi/router to your own VPN server. (Google OPENVPN) Magical Pineapples
