Roee Hay of Aleph Research (security researcher) has discovered new trivial flaws on OnePlus devices (One/X/2/3/3T) OxygenOS & HydrogenOS. The flaws affect the latest versions and below.
The flaws allow for a Man-in-the-Middle (MITM) attacker to interfere in the OTA update process in order downgrade OxygenOS/HydrogenOS to older versions and even to replace OxygenOS with HydrogenOS (and vice versa), both without a factory reset, allowing for exploitation of now-patched vulnerabilities.
OnePlus failed to patch these security issues after 90 days of responsible disclosure on January 26, 2017, and another 14 days as a deadline extension on April 9, 2017 – to date, so the researcher determined to publish the details of the vulnerabilities publicly.
CVE-2017-5948: Allows a remote attacker to downgrade the operating system of a targeted OnePlus device. All OnePlus devices are affected by this vulnerability.
CVE-2017-8850: Attackers can install HydrogenOS over OxygenOS and vice versa, even on locked bootloaders.
CVE-2017-8851: Attackers can install OTAs of one product over the other, even on locked bootloaders.
CVE-2016-10370: OnePlus pushes the signed-OTA over HTTP, thus it enables a trivial MiTM attack.
The vulnerabilities are still unpatched until now, all OnePlus 1, 2, 3, 3T and x devices are vulnerable, all users are recommended to connect only to trusted Wi-Fi networks.
