OnePlus 3 and 3T are one of the most popular smartphones in the Indian market at the moment. However, researchers at Aleph Security, a cyber security company, disclosed a particularly serious security flaw in OnePlus 3 and OnePlus 3T. According to the blog
post, the security company posted details about the security flaw where hackers can infect your device using a malicious charger.
This flaw comes weeks after other flaws were pointed in the OnePlus bootloader. This flaw relies on CVE-2017-5622, CVE-2017-5624 and CVE-2017-5626 vulnerabilities where the CVE-2017-5622 is the one that researchers recently discovered. However, before diving into the details, it is worth pointing out that OnePlus fixed CVE-2017-5626 in OxygenOS 4.0.2 while CVE-2017-5622 and CVE-2017-5624 were fixed in OxygenOS 4.0.3.
The new flaw allows the hackers to take over your device when it is completely turned off. It takes leverage of existing vulnerabilities CVE-2017-5622, CVE-2017-5624 and CVE-2017-5626 which allow access to personal data of users.
The problem that stands out with this exploit is that even though we know that CVE-2017-5624 enables the hackers to access to your data without any warning to the users after they unlock their device. This first exploit needed physical access or authorized-ADB access for this first part to work. CVE-2017-5626 on the other hand, allows hackers to inject the previous exploit using a malicious charger.
However, the latest flaw CVE-2017-5622 allows hackers to hide the fact that they have modified the ‘system’ partition of the smartphone with root access that they gained in CVE-2017-5624. This means that hackers can install any app that requires root access in the system partition. The researchers made a proof of concept where CVE-2017-5622 and CVE-2017-5626 give root access, SELinux permissive mode and execute kernel code. So ensure that you are on the latest version to guard against these flaws.
Comments
Post a Comment