Heads up: OnePlus phones have a secret root backdoor and the password is 'angela'

Who left 'wipe the engineering toolkit' off the factory checklist?

By Shaun Nichols in San Francisco

Posted in Personal Tech, 14th November 2017 21:32 GMT

Updated An apparent factory cockup has left OnePlus Android smartphones with an exposed diagnostics tool that can be potentially exploited to root the handsets.

Security researcher Robert Baptiste suggested the EngineerMode APK was made by Qualcomm, and was intended to be used by factory staff to test phones for basic functionality before they are shipped out to the public.

Unfortunately, it seems someone at OnePlus forgot to remove or disable the package before kicking the handsets out to the general public, and as a result folks now have access to what is effectively a backdoor in their Android phones.

In addition to basic diagnostic tasks like checking the functionality of the phone's hardware components – such as the GPS and wireless electronics – the tool can also allow people, using the password 'angela', to obtain root access and gain full control over a device:

What is worse, Baptiste and other researchers fear that this backdoor may not just be limited to the OnePlus phones that initially exposed the package, but could affect a number of handsets powered by Qualcomm's firmware and Snapdragon chipsets. We've asked the US chip designer for clarification.

The tweets and subsequent reports on the issue have not gone unnoticed by OnePlus, though no ETA on when a possible fix could arrive.

You can, of course, gain access to root yourself by fiddling with the bootloader on a OnePlus handset. The real fear is that a malicious app could potentially use the toolkit to achieve root access and then install further malware on a targeted device. ®

Updated to add

OnePlus said in a statement today that it will remove the toolkit in an over-the-air update soon, and added that the issue is perhaps not as bad as first feared...

We received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.

We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.

While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.

Final update

A Qualcomm spokesperson has been in touch to say to it's got little to do with this blunder:

After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder

Kaspersky: Clumsy NSA leak snoop's PC was packed with malware

Lab suspects Chinese spyware was on home computer

Another banking trojan is trying to loot your cryptocurrency wallets

Trickbot variant adds Coinbase exchange to monitored sites

Cryptocurrency-crafting creeps crept crafty code into Google App Store

Chocolate Factory's anti-malware protections fail yet again

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

And Oracle E-biz suite makes 3: Package also vulnerable to exploit used by cryptocurrency miner

Hat trick!

Roses are red, Kaspersky is blue: 'That ban's unconstitutional!' Boo hoo hoo

New front opens in Russian firm's legal fight with US gov

SCOLD WAR: Kaspersky drags Uncle Sam into court to battle AV ban

Russian biz sues US govt for torpedoing anti-malware tool installations

Internet Society: Cryptocurrency probably not an identity system

ID on a blockchain? Maybe. ID on Bitcoin? Forget it

Nvidia reports record revenues in latest fiscal quarter

But cryptocurrency not growing for the GPU giants