Update 11/14/17 4:30 PM: In a blog post, an engineer from OnePlus announced that the portion of Engineer Mode that allows for the exploit described in this article will be removed in an upcoming update. The engineer also wrote that Engineer Mode does "not let 3rd-party apps access full root privileges."
Update 11/15/17 2:22 PM: This story has been updated with comment from Qualcomm.
OnePlus, a major Chinese smartphone manufacturer, has gotten itself into a hell of a lot of security trouble lately, and now the situation is only getting worse.
Mobile security researcher Robert Baptiste, who goes by the pseudonym Elliot Alderson (a nod to the main character in the Mr. Robot series), discovered that OnePlus smartphones have been apparently shipping for years with a hidden backdoor. It makes it easy for a clever hacker with physical access to root a OnePlus phone with just a few lines of code.
Alderson found an application on OnePlus devices intended for factory testing, and discovered it could be used to obtain “root access” to the phone. Rooting an Android device allows a developer to essentially gain access to everything in the operating system, and permission to change anything about the device’s software.
The application the researcher found is called “Engineer Mode.” It’s meant to be used while the smartphone is still in the factory, to test whether it’s working properly. Engineer Mode was hidden behind a password, but Alderson along with researchers at app security firm NowSecure were able to quickly crack it. The password is “angela,” which could ironically be another Mr. Robot reference.
Alderson believes that the vulnerability can only be exploited with physical access, at least for now. He said in a tweet that it’s “too early to speak about a random app getting root access, but we are on the good tracks.”
It looks like the application was left on a number of devices, but it’s not clear whether OnePlus did so intentionally, or whether it was an accident. Engineer Mode is on several different smartphones that OnePlus makes, including the OnePlus 3, OnePlus 3T, and the OnePlus 5, according to the blog Android Police.
Alderson told me in a Twitter DM that he has no doubt that Engineer Mode was left on OnePlus devices with the company’s knowledge. “This app is a Qualcomm app customized by OnePlus. This backdoor had been coded by Qualcomm.” The backdoor may not have been left maliciously however, Alderson explained. It could have been due to “laziness.”
Alderon told me he started investigating OnePlus devices last month when another major security problem was made public about the manufacturer’s phones. In October, a January report from security researcher Chris Moore was covered widely by the press. It showed that OnePlus was collecting sensitive information from its users and transmitting it to a server along with each device’s serial number. In response to these findings, OnePlus later scaled back its data collection program.
If you want to see if your device has Engineer Mode installed, you can go to Settings > Apps > Menu > Show System apps. There, you can search whether Engineer Mode is installed. If you discover that your device has it, you can delete it from your phone’s applications, according to Alderson.
It appears that OnePlus phones might not be the only devices to come pre-baked with Engineer Mode. Several users on Twitter have reported discovering the app in Lenovo and Motorola devices that use Qualcomm chips. Other manufacturers may be affected, according to Alderson, because Engineer Mode is an app designed by the manufacturer Qualcomm.
“After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided," a spokesperson from the company said in an emailed statement.
OnePlus also did not immediately return a request for comment, but the company’s CEO, Carl Pei, said on Twitter that the issue was being examined.
The discovery of this hidden backdoor couldn’t come at a worse time: OnePlus’ latest smartphone, the OnePlus 5T comes out this week.