Personal Tech

Heads up: OnePlus phones have a secret root backdoor and the password is 'angela'

Who left 'wipe the engineering toolkit' off the factory checklist?

By Shaun Nichols in San Francisco


Updated An apparent factory cockup has left OnePlus Android smartphones with an exposed diagnostics tool that can be potentially exploited to root the handsets.

Security researcher Robert Baptiste suggested the EngineerMode APK was made by Qualcomm, and was intended to be used by factory staff to test phones for basic functionality before they are shipped out to the public.

Unfortunately, it seems someone at OnePlus forgot to remove or disable the package before kicking the handsets out to the general public, and as a result folks now have access to what is effectively a backdoor in their Android phones.

In addition to basic diagnostic tasks like checking the functionality of the phone's hardware components – such as the GPS and wireless electronics – the tool can also allow people, using the password 'angela', to obtain root access and gain full control over a device:

What is worse, Baptiste and other researchers fear that this backdoor may not just be limited to the OnePlus phones that initially exposed the package, but could affect a number of handsets powered by Qualcomm's firmware and Snapdragon chipsets. We've asked the US chip designer for clarification.

The tweets and subsequent reports on the issue have not gone unnoticed by OnePlus, though no ETA on when a possible fix could arrive.

You can, of course, gain access to root yourself by fiddling with the bootloader on a OnePlus handset. The real fear is that a malicious app could potentially use the toolkit to achieve root access and then install further malware on a targeted device. ®

Updated to add

OnePlus said in a statement today that it will remove the toolkit in an over-the-air update soon, and added that the issue is perhaps not as bad as first feared...

We received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.

We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.

While we don't see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.

Final update

A Qualcomm spokesperson has been in touch to say to it's got little to do with this blunder:

After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Kaspersky Lab loses the privilege of giving Twitter ad money

Twitter's loss is the EFF's gain

Sir, you've been using Kaspersky Lab antivirus. Please come with us, sir

US govt bans agencies from using Russian outfit's wares

WikiLeaks drama alert: CIA forged digital certs imitating Kaspersky Lab

Vault 8 release says spooks used disguise to siphon off data

Surprise: Norks not actually behind Olympic Destroyer malware outbreak – Kaspersky

Who framed Pyongyang, then, we wonder

Kaspersky Lab's move from Russia to Switzerland fails to save it from Dutch oven

Netherlands turns up the heat as transparency plans unveiled

'We've nothing to hide': Kaspersky Lab offers to open up source code

Response to US fretting over alleged ties to Russian snoops

Brit bank Barclays' Kaspersky Lab diss: It's cyber balkanisation, hiss infosec bods

Analysis It's 2017: Is the splinternet nearer than ever?

Another US government committee takes aim at Kaspersky Lab

Worries about 'espionage, sabotage, or other nefarious activities' cough - NSA! - cough

It's 'nyet' again, yet again, for Kaspersky: Appeal against US govt ban snubbed by Washington DC court

Appeals judges shoot down Russian vendor's plea

Pain in the brain! Kaspersky warns of hackable brain implants

That furious clicking you hear is Charlie Brooker frantically writing his next script