back to article OnePlus 6 smartphone flash override demoed

The recently released ‪OnePlus 6‬ smartphone allows the booting of arbitrary images, security researchers at Edge Security have discovered. According to the researchers, the trick is possible using the fastboot boot image.img feature on the BBK Electronics phone – even when the bootloader is completely locked and in secure …

  1. Steve Graham

    Is that a vulnerability? I'd pay extra for it.

    1. James 51

      If you need physical access and all it does is change the boot logo it doesn't sound like a big problem. Certainly I don't see why I should keep seeing the vodafone logo on my Q10 every time it boots up, my contract ended several years ago.

      1. Steve K

        The problem is It's a bootable disk image not a picture/logo...

      2. Waseem Alkurdi

        You're probably thinking boot image instead of boot.img. Android devices have their Linux kernel (zImage + initramfs) stored in a boot.img, an image of the /boot partition.

      3. Waseem Alkurdi

        If you need physical access and all it does is change the boot logo it doesn't sound like a big problem. Certainly I don't see why I should keep seeing the vodafone logo on my Q10 every time it boots up, my contract ended several years ago.

        Suppose it was the boot logo (the boot image, which it isn't as other commentators and I have explained above.

        It would still be a vulnerability.

        What if the attacker loads a poisoned bootanimation.zip (which contains one or more images played as a fast slideshow on boot time.

        The poisoned JPEG image files inside the bootanimation.zip could be theoretically used for a buffer overflow or some other attack (like the GDI+ buffer overflow attack years ago on Windows).

        So there, even that is considered a vulnerability.

        Edit: I don't see why @Dave 126 is getting downvoted. I totally see his point.

    2. Dave 126 Silver badge

      > Is that a vulnerability? I'd pay extra for it.

      It is a vulnerability - it means anyone with physical access to your handset can put whatever they want in it without your knowledge. This is in contrast to a phone that requires the user to unlock it and turn on USB debugging and jump through other hoops before flashing it with a new OS image.

      1. Richard 22

        fastboot boot is a one-time boot only; it loads the image into RAM and then boots it. It doesn't flash that image to storage. However you could potentially boot somebody elses phone with such an image, remove the connection from the PC and they would use it without knowing - it would remain potentially compromised until next power off.

      2. Dave 126 Silver badge

        Given the upvotes given to Steve the OP, it would appear there's general misunderstanding here. Perhaps the article should be rewritten for clarity?

        It is desirable for many owners to be able to load their choice of OS on their device. I can't see how it is desirable for an owner to be unable to prevent an attacker from loading an OS on their device - which is what this story is about.

        1. Dave 126 Silver badge

          Seriously, a lot of people here have got the wrong end of the stick.

          https://www.xda-developers.com/oneplus-6-bootloader-protection-exploit-physical-access/

          In no way can it be described as a 'feature'. The *option* to leave a Yale lock open using that little nubbin is a feature. This is akin to a lock that can't be locked at all - clearly a bug.

      3. Anonymous Coward
        Anonymous Coward

        Is that a vulnerability? I'd pay extra for it.

        It is a vulnerability - it means anyone with physical access to your handset can put whatever they want in it without your knowledge.

        Looks like you don't android. Normally it could be called a vulnerability. But you see, unlocking bootloader on oneplus device will use almost the same procedure with fastboot, like literally with just different commands. Both requires physical access and also lets you boot an boot.img like a custom recovery on the device to install custom rom.

        It's just a small bug. the researchers are just trying to make it look big.

      4. Cuddles

        "This is in contrast to a phone that requires the user to unlock it and turn on USB debugging and jump through other hoops before flashing it with a new OS image."

        Perhaps I'm missing something, but what exactly is the difference? The linked video shows someone using an unlocked phone with full access to everything. They already need to jump through hoops such as going through the Android settings menu to activate developer mode. What exactly does this "vulnerability" allow that couldn't already easily be done given the access required to exploit it? If someone has physical access to your unlocked phone plugged into their PC, exactly how much worse is it possible for things to get?

    3. TonyJ

      "...

      Is that a vulnerability? I'd pay extra for it..."

      I must admit my very first skim read, I thought it was a new feature.

      1. Dave 126 Silver badge

        ***This vulnerability doesn't require the phone to be unlocked with a passcode / fingerprint / pattern.***

        That's the damned point. It's a vulnerability. If you can install a new OS *after* authenticating yourself to the phone as its rightful owner - that's a feature.

  2. LeoP

    So what

    You need physical access .... hm, wasn't there something like "physical access = complete compromise modulo time interval" rule around? It seems to have fallen out of favour, though.

    As for encrypted contents: If you store your key where it is accessible by a random boot image, you might just not bother at all.

    1. Chloe Cresswell Silver badge

      Re: So what

      Physical access you say.. Sounds like a good point to be someone running USB charging sockets in say, an airport?

  3. David Nash Silver badge
    WTF?

    I can boot my PC from an arbitrary boot image too. What's the big deal?

    1. Dave 126 Silver badge

      A phone is more prone to being lost or stolen than a PC - or even just mislaid for half an hour. Of course if you have people's sensitive data on your laptop then you are legally obliged to encrypt it.

      The issue here isn't that the OnePlus 6 can load an arbitrary boot image, but that an arbitrary boot image can be installed by someone other than the owner.

  4. Anonymous Coward
    Anonymous Coward

    Is this only the One Plus 6 or are older models affected as well?

    1. Dave 126 Silver badge

      Just the 6. The 5T had a less serious flaw in that it required the user (having first unlocked their phone) to turn on USB Debugging.

  5. Dabooka

    Next stage lose the PC

    I assume (perhaps simplistically) that given time and the desire, this vulnerability could be harnessed into a USB OTG device, negating the need for a PC?

    That'd be a big risk around here seeing how many phones are left on desks. Mind they're virtually all iThings anyway, but the point remains the same.

    1. Dave 126 Silver badge

      Re: Next stage lose the PC

      USB OTG isn't required - headless, battery operated PCs are already available, not much larger than a thumb drive. Not sure USB OTG would work - since it requires the phone to be the host.

  6. Anonymous Coward
    Anonymous Coward

    Here is a pretty good article on exploiting Qualcomm based devices

    https://alephsecurity.com/2018/01/22/qualcomm-edl-1/

  7. _LC_
    Megaphone

    Nothing but a small glitch.

    Compare it to the general problem and make up your own mind:

    https://www.wired.com/story/rowhammer-remote-android-attack/

    ...

    Nearly four years have passed since researchers began to experiment with a hacking technique known as "Rowhammer," which breaks practically every security model of a computer by manipulating the physical electric charge in memory chips to corrupt data in unexpected ways. Since that attack exploits the most fundamental properties of computer hardware, no software patch can fully fix it. And now, for the first time, hackers have found a way to use Rowhammer against Android phones over the internet.

    ...

  8. Anonymous Coward
    Anonymous Coward

    Quick! Grab the Widevine L1 keys before they patch this. I'd love to be able to watch Netflix in HD on my 5T :P

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like