Researchers from the Aleph Security group, who find security vulnerabilities in electronic devices, had found a way to hack a OnePlus 3 or OnePlus 3T with a charger.
All that was needed was a charger which was able to operate a Linux shell – in principle, the whole thing also worked on a PC, which turned out to be a charger.
Once the OnePlus 3 is connected to the malicious charger, it could simply send the smartphone to Fastboot mode, bypass or unlock the boot loader, and secure ADB access rights (Android Debug Bridge).
From this point on, for example, the Boot logo could be exchanged in the Bootloader or a CustomROM could be played.
The researchers, however, pushed the game further and ran a shell with root privileges on the OnePlus 3.
This enabled, for example, an espionage app on the smartphone, which passed all inputs and stored data to third parties – without sacrificing the victim.
In principle, the smartphone was in the hands of the attackers from this point until the connection to the charger was disconnected and even then it could be too late.
The charger did not have access to the stored data because the data partition was separated and encrypted, but once the device was started and unlocked normally, an infected app could transfer this data via the Internet connection.
In a video, the researchers show how the vulnerability has been exploited and the system partition overwritten.
OnePlus has made changes to the source code
The security gap resulted from an incorrect ADB setting, which starts the OnePlus 3 when connected to a charger. Normally the Smartphone goes into the “Charger boot mode”, as soon as a charger is attached, which was also the case here.
However, within the initialization instances, different ADB variables were set differently, which is why the ADB access was granted.
Interestingly, the access rights to the Android Debug Bridge in the source code since Android 4.1 Jelly Bean are blocked as standard, as soon as the smartphone hangs on a charger.
OnePlus had apparently made a few changes, which caused the security gap. Why the company had changed the values in the variables does not reveal itself to the researchers.
Security gap already stuffed
However, OnePlus has already reacted and has already exchanged the affected lines in the source code in a patch, which is why this method can no longer be used.
However, the whole thing shows in a clear way that even a charger can be incredibly dangerous.