Heads up: OnePlus phones have a secret root backdoor and the password is 'angela'
Who left 'wipe the engineering toolkit' off the factory checklist?
Updated An apparent factory cockup has left OnePlus Android smartphones with an exposed diagnostics tool that can be potentially exploited to root the handsets.
Security researcher Robert Baptiste suggested the EngineerMode APK was made by Qualcomm, and was intended to be used by factory staff to test phones for basic functionality before they are shipped out to the public.
Unfortunately, it seems someone at OnePlus forgot to remove or disable the package before kicking the handsets out to the general public, and as a result folks now have access to what is effectively a backdoor in their Android phones.
<Thread> Hey @OnePlus! I don't think this EngineerMode APK must be in an user build...🤦♂️— Elliot Alderson (@fs0c131y) November 13, 2017
This app is a system app made by @Qualcomm and customised by @OnePlus. It's used by the operator in the factory to test the devices. pic.twitter.com/lCV5euYiO6
In addition to basic diagnostic tasks like checking the functionality of the phone's hardware components – such as the GPS and wireless electronics – the tool can also allow people, using the password 'angela', to obtain root access and gain full control over a device:
What is worse, Baptiste and other researchers fear that this backdoor may not just be limited to the OnePlus phones that initially exposed the package, but could affect a number of handsets powered by Qualcomm's firmware and Snapdragon chipsets. We've asked the US chip designer for clarification.
To disable root (otherwise stays permanent), do: " setprop persist.sys.adb.engineermode 0" and "setprop persist.sys.adbroot 0" or call code *#8011#. Backdoor is not oneplus but Qualcomm firmware specific if not removed when compiling.— Bjoern Kerler (@viperbjk) November 14, 2017
The tweets and subsequent reports on the issue have not gone unnoticed by OnePlus, though no ETA on when a possible fix could arrive.
Thanks for the heads up, we're looking into it.— Carl Pei (@getpeid) November 13, 2017
You can, of course, gain access to root yourself by fiddling with the bootloader on a OnePlus handset. The real fear is that a malicious app could potentially use the toolkit to achieve root access and then install further malware on a targeted device. ®
Updated to add
OnePlus said in a statement today that it will remove the toolkit in an over-the-air update soon, and added that the issue is perhaps not as bad as first feared...
We received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.
We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.
While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.
A Qualcomm spokesperson has been in touch to say to it's got little to do with this blunder:
After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.