Almost all recent OnePlus smartphones are vulnerable to attacks that can downgrade the phone's operating system and expose the device to previously patched security flaws.
Mobile security expert Roee Hay of Aleph Research discovered the vulnerabilities and reported the problems to OnePlus in January, but the company failed to address any of the issues.
According to Hay, the vulnerabilities affect OnePlus models such as X, 2, 3, and 3T, running both OxygenOS and HydrogenOS, which are custom versions of the Android OS running on OnePlus phones.
Hay says that an attacker can launch an attack and hijack the phone's Over-The-Air (OTA) update process, which is susceptible to man-in-the-middle (MitM) attacks because it's handled via HTTP instead of HTTPS.
The researcher says that even if OnePlus OTA update packages are signed to prevent the installation from unauthorized locations, they aren't verified based on version or timestamp.
This slip-up allowed Hay to install an older version of the OxygenOS or HydrogenOS, downgrading the phone to a previous OS version that was susceptible to previously patched security flaws. The video below shows Hay performing the OS downgrade attack.
In addition, Hay also discovered that an attacker could also install OxygenOS on devices designed to support HydrogenOS, the precursor of OxygenOS. In some cases, installing the superior OS on an older product would lead to crashes or a permanent denial of service.
Last but not least, Hay also installed another version of the Android ROM boot-up package on different OnePlus devices. For example, the OnePlus X ROM on a OnePlus One device and vice versa, causing again, a denial of service state due to hardware incompatibilities.
Besides these scenarios that rely on performing a MitM attack on the OTA update, the Aleph Research expert discovered that an attacker with physical access to the device could also reboot the phone into Recovery Mode and sideload the OTA package that way.
Unlike the MitM attack that was universal, this second attack vector only worked on OnePlus 3 and 3T models, and where the Secure Start-up feature is disabled.
This is the second time Hay has taken the hammer to OnePlus security. Back in March, the researcher published another piece of research that showed how an attacker could hijack OnePlus 3 and 3T models with a malicious charger. Videos of those previous vulnerabilities being exploited — which OnePlus developers patched — are available below.