OnePlus phones include an easily exploitable backdoor (Update 2: Qualcomm responds)

Update #2 (11/15) 14:09 EST: Qualcomm has reached out to Android Authority to clarify some details on the EngineerMode app. A Qualcomm spokesperson says:

After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm. Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.

Update (11/14) 17:03 EST: OnePlus has responded to earlier claims about Qualcomm’s EngineerMode app including an easily exploitable backdoor for hackers. In a post on the OnePlus forums, OxygenOS team member OmegaHsu tried to shed some light on the app in question and what exactly the company plans to do about it.

In the statement, OnePlus is claiming what we already knew— that the EngineerMode app allows anyone to access root privileges without much effort. However, USB debugging (which is off by default) needs to be turned on for root access to be achieved, which means people will have a harder time hacking into your phone if they don’t have physical access to it. Additionally, the app does not give third-party applications full root privileges.

Still, this is a pretty big security concern, which is why the company plans to remove the adb root function from the app in an upcoming OTA.

The full statement can be found below:

Yesterday, we received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.

We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.

While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.

We’ll be sure to let you know when OnePlus issues this OTA.

Original story (11/14) 07:48 EST: A developer has found a way to gain root access to a OnePlus device by exploiting an app designed for factory testing. The developer, who uses the name Elliot Alderson on Twitter (after the Mr Robot TV show lead), posted a series tweets yesterday outlining the steps taken to achieve the privileges.

The app in question is a system app that was apparently made by Qualcomm and customized by OnePlus; it’s called EngineerMode and arrives pre-installed on OnePlus devices like the OnePlus 5, 3T and 3 (you can find it yourself searching Settings > Apps > Menu > Show system apps, and then search “EngineerMode” in the app list). It’s used to run system tests for things like GPS, vibration, screen brightness, and also root checking.

EngineerMode has been known about for a while, but the risks it presents weren’t known until after Alderson did some digging. The developer discovered a password-protected backdoor within the app’s code, which he was able to work around to gain root access — a big enough problem to begin with for OnePlus in terms of security. But that was before some smart folks chimed in having discovered the actual password (it’s Angela, which, coincidentally, is also likely a Mr Robot reference).

This means root access can be achieved using just one command line — giving hackers the potential to cause harm without much work. It’s not something that could be achieved remotely, however, you would need the physical OnePlus device connected to a computer running the Android Debug Bridge (ADB) to exploit the vulnerability.

This nonetheless raises questions over why is the device shipping with this app (presumably it has just been overlooked) and whether it’s available on other Qualcomm devices.

Alderson said that he would publish an app soon to allow users to simply gain root access to their devices. Meanwhile, OnePlus co-founder Carl Pei has already announced that OnePlus is investigating the issue.

We’ve also we’ve reached out to OnePlus and will update this story when we receive comment.