A total of four security gaps in the OxygenOS and HydrogenOS operating systems on OnePlus smartphones allow to install an older operating system version via a modified over-the-air update (OTA) or to exchange the two systems.
Details about the vulnerabilities, in his blog Roee Hay Alephsecurity executed. The gap was reported to OnePlus and the manufacturer gave 90 days to close it. An additional 14-day period, OnePlus did not follow, so that Hay makes the details now – similarly as Google also handles – public. The gap exists in the current version 4.1.3 as well as 3.0 and older. Affected are theoretically all OnePlus smartphones, such as OnePlus 2 (test) and the OnePlus 3T (test).
Man-in-the-middle attack with wrong update
On the other hand, a man-in-the-middle attack (MitM) is possible, in which the attacker has to stay in the same WLAN as the smartphone. In addition, this also requires further user interaction, which reduces the likelihood of an attack. The gap still remains. The attacker in the middle sends the smartphone a message about a new update, whereupon the smartphone reverts to the URL stored there and downloads an outdated version.
It is possible to install the older software because the OnePlus devices will accept any software signed by OnePlus in an OTA update even if it is older than the one on the smartphone. In addition, all updates distributed by OnePlus are signed with the same key. In the meantime, gaps can be reopened in the meantime by the older operating system, in order to execute malicious code, for example, to illegally roam the smartphone or reach user data. In a video, Roee Hay and Sagi Kedmi demonstrate the MitM attack.
ROMs of different systems and devices
Roy also explains that the ROMs of OnePlus One and OnePlus X can be exchanged, which can lead to errors due to incompatibility and make the smartphone useless. In this way, OxygenOS, which is used in Western markets, can also be exchanged for the HydrogenOS offered in China.
OnePlus 3 (T) encryption against sideloading
Another possibility is to have the smartphone go into recovery mode and then install the older operating system by sideloading. However, the attacker must have physical access to the smartphone. At least in the OnePlus 3 and 3T is not possible, even if the smartphone is encrypted with Full Disk Encryption. In addition, Roy notes that OnePlus has been distributing the updates unencrypted over HTTP for at least a year, which increases potential attack space.
On GitHub there is a proof-of-concept to the security gap. OnePlus has so far not voiced any security gaps.