Influenza A virus subtype H5N1 safety researcher has discovered iv vulnerabilities that demeanour on all OnePlus handsets, including One, X, 2, 3 as well as 3T, running the latest versions of OxygenOS 4.1.3 (worldwide) as well as below, every bit good every bit HydrogenOS 3.0 as well as below (for Chinese users).
Damn, I am feeling bad, I myself move OnePlus.
One of the unpatched vulnerabilities allows Man-in-the-Middle (MitM) assail against OnePlus device users, allowing a remote aggressor to downgrade the device’s operating organization to an older version, which could as well as then expand the assail surface for exploitation of previously disclosed now-patched vulnerabilities.
What's fifty-fifty worse? The other 2 vulnerabilities too allow an MitM aggressor to supersede whatsoever version of OxygenOS alongside HydrogenOS (or vice versa), every bit good every bit to supersede the operating organization alongside a completely dissimilar malicious ROM loaded alongside spying apps.
The vulnerabilities receive got been discovered past times Roee Hay of Aleph Research, HCL Technologies, who reported them to the fellowship inward Jan this year.
However, when OnePlus failed to unloosen patches for the issues fifty-fifty afterwards ninety days of responsible disclosure, as well as xiv days of additional ultimatum, the researcher decided to larn world alongside the details of the vulnerabilities, which are described below.
1 — OnePlus OTA Updates Over HTTP: CVE-2016-10370
It's 2017, as well as you lot would hold out shocked to know that i of the pop device manufacturers is sending you lot OS updates as well as safety patches over an unencrypted channel.
Roee Hay as well as Sagi Kedmi, who too independently discovered it, claims that OnePlus is delivering signed-OTA (over-the-air) updates over HTTP without TLS, allowing remote attackers to perform MitM attacks.
Since the OTA updates are signed alongside a digital signature, this põrnikas lonely is non sufficient to force malicious updates to the affected devices.
But this weakness facilitates other iii below-reported vulnerabilities, which could allow an aggressor to defeat the digital signature machinery every bit well.
2 — OnePlus OTA Downgrade Attack: CVE-2017-5948
This flaw allows a remote aggressor to downgrade the operating organization of a targeted OnePlus device, either running on OxygenOS or HydrogenOS, to an before version that may incorporate vulnerabilities disclosed previously.
Since all the OnePlus OTAs of dissimilar ROMs as well as products are signed past times the same digital key, the device volition receive got as well as install whatsoever OTA image, fifty-fifty if the bootloader is locked.
OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X as well as OnePlus One are affected past times this vulnerability.
The researcher has too published proof-of-concept (PoC) code on GitHub.
3 — OxygenOS/HydrogenOS Crossover Attack: CVE-2017-8850
The minute flaw listed higher upward too allows a remote aggressor to supersede whatsoever version of OxygenOS on a targeted OnePlus device alongside whatsoever version of HydrogenOS, fifty-fifty on locked bootloaders.
This assail is possible because “the fact (that) both ROMs move the same OTA verification keys,”
According to the researcher, OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X as well as OnePlus One are affected past times this vulnerability every bit well.
The researcher has too published proof-of-concept (PoC) for this flaw on GitHub.
4 — OnePlus OTA One/X Crossover Attack: CVE-2017-8851
This flaw, which alone affects OnePlus X as well as OnePlus One, is practically same every bit the higher upward two, but inward this case, a remote MiTM aggressor tin fifty-fifty supersede the OS (Oxygen/Hydrogen) designed for OnePlus X alongside the OS (Oxygen/Hydrogen) designed for OnePlus One, fifty-fifty on locked bootloaders.
This is because both the devices "use the same OTA verification keys" as well as "share the same ro.build.product organization property."
"That could theoretically allow for exploitation of vulnerabilities patched on i picture but non on the other, inward add-on to the expansion of the assail surface," Hay says. "Moreover, the vulnerability may effect inward having the device unusable until a Factory Reset is performed."You tin banking corporation stand upward for the proof-of-concept exploit for this vulnerability here.
All the higher upward flaws be alone because OnePlus is non using secure communication for delivering OTA updates, as well as tin hold out patched easily only past times introducing HTTPS/TLS implementation.
Since the exploitation requires the aggressor as well as the targeted device to hold out on the same network, users are advised to avoid connecting to untrusted or world Wi-Fi networks.
