
Backdoor with root access found from OnePlus phones - hpaavola
https://twitter.com/fs0c131y/status/930115188988182531
======
mads
User builds on some Chinese phones are pretty sloppy. I needed to access an
old Oppo phone the other day, where I couldn't remember the PIN. Luckily ADB
was enabled, which suggests that their production software might have been a
userdebug build. I couldn't enable root via ADB, since it was at least a
production/user build, but the su binary was already on the phone, so I just
su'ed and got a root prompt. From there I could pull the sqlite settings
database, reset the PIN and push it again. After a reboot, the phone booted
without PIN.

Unfortunately there was an Oppo homebrewn secondary PIN on some of their built
in apps, which hadn't been reset, but it turned out I could enter the PIN as
many times as I wanted, so I made a small script to brute force it via ADB
(input text). Took half an hour to disable the secondary PIN with my script.

~~~
ksk
My Chinese phone (iPhone 6s) had a similar flaw. Okay, that was tongue in
cheek, but I don't see how adding the China qualifier adds anything new or
interesting other than inject bias.

~~~
octalmage
Does the iPhone 6s have a similar flaw? I'm still using one.

~~~
matt_wulfeck
He was joking. The 6s and pretty much every new phone using a Secure Enclave
to make brute forcing anything technically impossible.

~~~
ksk
I was not joking. There was a lockscreen bypass bug where you could access the
photos/contacts. Also, I haven't kept up with jailbreaking, so I'm not sure if
they can still be rooted. So, yeah, iphones have had several security flaws in
almost all versions.

------
RpFLCL
I just checked and found it on my OnePlus Two. To other OP owners: make sure
you look under "all" apps, not just "downloaded".

After this finding , the data collection incident a month ago, and their last
1Gb+ OTA update that bootlooped my phone, I think I'm done with OnePlus
products. I enjoyed the hardware but I can't tolerate this much
malice/incompetence in software in something as critical to my daily life.

I'm sure some posters will suggest that this is what we deserve for trusting a
Chinese OEM, but I still find it all very sad.

Steal data, brick devices, and leave backdoors: How to lose a customer in
three easy steps.

~~~
mino
> I enjoyed the hardware but

Do like me, if you don't want to trash a OnePlus device: install LineageOS.

~~~
levesque
Third party software is always a bumpy ride. Something is going to not work
out of the box, optimization will be less than stellar, battery usage won't be
as good. I cannot tolerate my cellphone not working 100% of the time.

~~~
jstanley
Can you tolerate a backdoor in it?

~~~
levesque
I can and I am. As far as I can tell, it's only accessible locally, so I can
live with it.

------
BuildTheRobots
I have a onePlus 3 (which anecdotally has been a lovely handset, just
extremely fragile. And onePlus and their repair company have been entirely
useless at communication...)

I also have the EngineerMode installed and it's also using data; "61.34mb
since 1 Aug".

It's worth noting that the data usage (752kb since Nov 1st) says it also
includes other apps, I've listed them below for reference as I've not seen
anyone else mention this yet. There's certainly some interesting names.

OPSkin

com.quicinc.cne.CNEService.CNES...

com.qti.service.colorservice

SmartcardService

SVI Settings

WifiRfTest

Screenshot

com.oneplus.setupwizard

Manage center

com.oneplus.sdcardservice

FidoCryptoService

NVBackupUI

Content Adaptive Backlight Settings

Android System

OnePlus System Service

Wfd Service

applocker

SimContacts Manager

OnePlus Camera Service

Settings Storage

SecureExtAuthService

nfc

SecureSampleAuthService

Input Devices

com.qti.dpmserviceapp

com.oem.logkitsdservice

com.qualcomm.qti.simsettings

Key Chain

Call Management

File manager

org.codeaurora.btmultisim

ANT HAL Service

com.fingerprints.service.Fingerprin...

OnePlusLogKit

BugReportLite

SeempJService

Settings

Tags

LocatonServices

AutoTestServer

com.qualcomm.qti.tetherservice

System Update

MdtpService

com.android.wallpaperbackup

Fused Location

com.qualcomm.fastdormancy

com.qualcomm.qti.biometrics.voic...

QTI Logging

OPConfig

com.qualcomm.timeservice

OPLocationService

Sensor Test Tool

~~~
notsospeedruns
I also have the 3, agreed on points of quality but fragility.

Looking at the data usage for several of the connected apps (my list is
identical to yours as far as I can tell), it looks like the only data they
send is as a subset of engineer mode (their individual data sent isn't shown,
only the engineer mode total).

There's definitely some concerning names there. Double checking my recent
screenshots, it seems at least that it couldn't be sending full images with as
much data as it's used. It's likely that it's not sending data from all of
these, but just accessing them at some point. The previous leak on here
revealed that OnePlus could track when you opened and closed apps. Based on
this, it could potentially track your location, when you take screenshots,
when you make phone calls, and a host of other information.

------
SmellyGeekBoy
I've said it on HN before but it bears repeating: If you have a OnePlus, do
yourself a favour and put LineageOS on it. It works perfectly on my OP3.

~~~
electricEmu
Android's bootloader isn't supposed to be locked when installing custom
firmware. An unlocked bootloader is a large physical access vulnerability.

How does LineageOS help security exactly?

~~~
tmikaeld
Encryption helps.

~~~
electricEmu
Does it? It seems useless when anyone with physical access can replace the
bootloader.

[https://android.stackexchange.com/questions/38909/unlocked-b...](https://android.stackexchange.com/questions/38909/unlocked-
bootloader-encryption)

~~~
styyle14
Well, this would require them to wipe your phone's data, so you would be
alerted as soon as it happened since your phone would not have any of your old
data once you logged in. If a malicious attacker is able to take your phone
without you noticing and be able to replace it, the difference of a locked or
unlock bootloader won't change the fact that you are going to put in your PIN
on boot. Instead of replacing your OS with a malicious OS, they could simply
replace your phone with a malicious copy of your phone and get your PIN on the
first bootup. They still get your PIN and you still lose your data. The
benefit of LineageOS is that it is open source and can be built yourself, so
anyone can check the code for backdoors/vulnerabilities. This also means you
get all updates as soon as you can build them.

~~~
electricEmu
LineageOS is a great OS. People should continue to use it for learning, fun,
and getting things done.

Please elaborate though. How is an unlocked bootloader is more secure than
than EngineerMode appearing on a phone [1]? Conclusion #6:

> Encryption is insecure with an unlocked bootloader or an open-access
> recovery.

If you have LineageOS with TWRP and an unlocked bootloader then it appears you
have an insecure device.

[1] [https://forum.xda-developers.com/android/software-
hacking/tw...](https://forum.xda-developers.com/android/software-hacking/twrp-
password-protection-thread-t2990816)

------
Phemist
The "secret" password seems to be "angela". OnePlus == DarkArmy confirmed?

~~~
vnchr
Probably fans of Angela Lansbury.

~~~
Double_a_92
Seems like a Mr.Robot reference to me.

------
danjoc
All modern mobile phones have a baseband processor with root backdoor. OnePlus
is only remarkable for having a second one.

~~~
dmos62
Reference, or explanation?

~~~
danjoc
[https://en.wikipedia.org/wiki/Mobile_baseband](https://en.wikipedia.org/wiki/Mobile_baseband)

If it has GSM/LTE/CDMA/etc baseband processor with closed implementation,
assume it has remote root backdoor. Samsung has already been caught.

osmocombb tried to solve this. That project is essentially dead.

~~~
lurker12390879
Librem 5 is a partial solution because the baseband has no access to the
system.

~~~
nyargh
Still has DMA, no?

~~~
kogepathic
No, the baseband radio will not be connected to the SoC via DMA.

They are proposing to use an external baseband with a USB or UART interface to
the main SoC and a kill switch.

[https://forums.puri.sm/t/level-of-freedom-of-librem-phone-
es...](https://forums.puri.sm/t/level-of-freedom-of-librem-phone-especially-
gsm-mdule/1316/2)

------
atomicnumber1
I didn’t knew that engineer mode app could be used for such malice. I bet they
didn’t either (btw I know that they should have been more vigilant about what
goes into the consumer device). And this app is developed by Qualcomm. I just
think that they forgot to remove from user builds (which btw is a bad sign).

~~~
mondoshawan
After having worked in the bowels of Qualcomm's Android drops, I have to note
that the amount of precompiled vendor binaries that get included was
astounding. The worst part is that their tendrils hook in to major parts of
the low level networking stacks in very bizarre ways. Removing them is often
extremely difficult, and even simple things like removing APKs like this one
often affect the stability of the system as a whole.

I can't really fault 1+ for this debacle -- but this is what happens when OEMs
just go along with using these inscrutable blobs of crapware from their
upstream vendors.

I only hope Librem can actually pull off their phone. Shipping something fully
open in light of findings like this may help to turn the tide.

------
mads
Isn't the EngineerMode APK an MTK app? I have been involved in developing an
Marshmallow MTK based phone in the past and in my experience their BSP's were
pretty messy. I.e. a lot of cleaning up is necessary if you want a relatively
quiet logcat and debugging APK's removed - even for user builds.

Edit: I must have remembered wrong or I saw the EngineerMode on the QComm
device we developed before our MTK based device. The OnePlus seems to be a
QComm device.. :)

~~~
milankragujevic
I have a shit Allwinner A33 tablet and it has SoftWinner APK _AND_
EngineerMode APK. So idk maybe it's something shared for all Chinese
devices...?

------
koevet
More context here: [http://www.androidpolice.com/2017/11/13/oneplus-left-
backdoo...](http://www.androidpolice.com/2017/11/13/oneplus-left-backdoor-
devices-capable-root-access/)

------
mijoharas
Can anyone clarify as to whether there is a mitigation, and post a link?

------
laxentasken
Found it on my Oneplus X. Maybe this is the time to try out Apple.

~~~
jetpks
As a long time iPhone user that swings Android every few years to try the
waters, I am consistently blown away at the level of garbage Android users are
expected to deal with on a regular basis.

Want to know how many times my iPhones have boot looped in the last nine
years? Not once ever. My last Android (Nexus 6p) managed to do it several
times in the 3-ish months I daily-drove it.

Want to know how long you can expect to get iOS updates with a new hardware
purchase? 5+ years. Compared with the very best case for Android: 2 maybe?

How many times with an iPhone have I been expected to install a custom OS to
get around a user-hostile feature like I saw about fifty times in the 1
billion outdated androids thread? Zero times.

It’s unreal.

~~~
zeveb
> I am consistently blown away at the level of garbage Android users are
> expected to deal with on a regular basis.

My girlfriend uses an iPhone; I am consistently blown away by the amount of
garbage _she 's_ expected to deal with on a regular basis. When she changes to
another app, our video chats go dark; there's no Termux or GNURoot equivalent
(that I'm aware of); tapping doesn't move the cursor but instead selects words
(I think that's it); the mail app is hellaciously bad; she's stuck using
Safari and seeing ads. So, so many ads. Ads everywhere. I never see ads on my
phone, but on hers the Internet is nothing but ads as far as the eye can see.

The sad fact is that the mobile phone ecosystem in general is full of garbage.
Neither Android nor iOS is exempt. But at least with Android I have freedom.

> How many times with an iPhone have I been expected to install a custom OS to
> get around a user-hostile feature like I saw about fifty times in the 1
> billion outdated androids thread? Zero times.

That's because with an iPhone there are no custom OSes and you're stuck with
Apple's user-hostile features.

~~~
matwood
> she's stuck using Safari and seeing ads. So, so many ads. Ads everywhere. I
> never see ads on my phone, but on hers the Internet is nothing but ads as
> far as the eye can see.

Purify is an ad blocker that works great on the iPhone. Content blockers have
been a supported part of iOS for the last couple versions. Apple actually
caught a lot of flack from websites for allowing them.

> But at least with Android I have freedom.

Freedom to send all your data to Google? Sure, you can install custom ROMs,
but now you're squarely out of any normal user scenario.

> That's because with an iPhone there are no custom OSes and you're stuck with
> Apple's user-hostile features.

You're considering Apple user hostile when the only way to get around Androids
lack of security updates is to go deal with custom ROMs? Apple tends to make
the best decision for the largest amount of users. Do they always match up
with my decisions? No, but they are close enough, and I don't have to deal
with the Android mess when all I want is a working phone.

~~~
Tarq0n
iTunes is user hostile. I might try an iPhone if not for the terrible
experience of managing one on Windows.

I was also unimpressed by how difficult it was to get my family member's
pictures out of their cloud offering, when asked to do so for relatives.

~~~
matwood
You know the iPhone has not needed iTunes for quite awhile? I'm not even sure
about the last time I started iTunes on my computer. Even moving from an
iPhone to a new iPhone is as simple as holding the 2 phones close together and
signing in on the new phone.

iCloud also works fine with Apple devices, but can be mostly skipped. Google
Photos will happily upload all the pics on the iPhone to Google pictures. The
5GB iCloud is then plenty for iPhone data backups.

------
milankragujevic
Have it on my tablet that's not even Mediatek or Qualcomm, but instead
Allwinner A33... Scary. I think I should throw it away. Or, since it comes
pre-rooted and in engineer build mode instead of userdebug or prod, I think I
just might uninstall the APK from the shell and sleep well tonight.

------
mkroman
No one found it just a tad strange that there was a system library called
libdoor.so?

~~~
chiph
So you can run old BBS games on your phone?

~~~
PacketPaul
Sign me up!

------
logingone
[https://en.wikipedia.org/wiki/List_of_mobile_phone_makers_by...](https://en.wikipedia.org/wiki/List_of_mobile_phone_makers_by_country)

------
anonu
EngineerMode: so I fired this up on my OnePlus5 (and subsequently rooted my
device). Fun times. Can anyone explain all the features in Engineer Mode? *
DDR Aging Test: Some sort of DRAM physical memory test? * SUPL Tool: Tries to
connect to supl.google.com:7276 ?? * Network set >> RAT Mode? .... other
features test your screen, colors, backlight, NFC, Wifi, etc - would still be
helpful if someone with a bit more background could give some color.

------
majewsky
I just checked my OnePlus One and it doesn't have the "Engineering mode" app.
Maybe because I'm on the original CyanogenOS; I didn't upgrade to Oxygen OS.

~~~
hs86
Do you consider switching over to the community based LineageOS? They will
continue to provide security updates for your phone and afair currently you
are stuck with Android 6. Additionally, the upcoming release will bring
Android 8 to your device:
[https://review.lineageos.org/#/q/branch:lineage-15.0+bacon](https://review.lineageos.org/#/q/branch:lineage-15.0+bacon)

~~~
darklajid
lineageos is awesome.

Unfortunately the camera app is quite a bit worse in my opinion (used it on
the OnePlus One, 3T and haven't tested it with my 5). Guess some things are
more important at this point..

~~~
nocoder
I would like to use lineage OS but if I root my phone my work email will stop
working. It is configured via Boxer app, is there a work around?

~~~
hs86
To gain root access you have to flash an optional zip file [0] after flashing
LineageOS itself and the also optional OpenGapps [1]. If you don't do that,
your Boxer app should pass these SafetyNet checks [2].

If you want both root and still full access to these SafetyNet-"protected"
apps, you can try the alternative rooting solution Magisk [3] which
specializes on bypassing these (imho arbitrary) restrictions.

[0]
[https://download.lineageos.org/extras](https://download.lineageos.org/extras)

[1] [http://opengapps.org/](http://opengapps.org/)

[2]
[https://www.lineageos.org/Safetynet/](https://www.lineageos.org/Safetynet/)

[3] [https://forum.xda-developers.com/apps/magisk/official-
magisk...](https://forum.xda-developers.com/apps/magisk/official-
magisk-v7-universal-systemless-t3473445)

------
jokoon
I got a very cheap huawei Y300 which stopped working recently.

I think I remember having this app, along with many other weird ones
preinstalled.

Also, does anybody knows why some android phones have some "debug mode" when I
plug them via USB? I mean if you think about it, that also sounds like a
backdoor.

~~~
staz
USB debug mode is a standard feature of Android that is disabled by default,
but it's possible to enable it manually. If you see it without having enabled
it, it is indeed strange

[https://www.kingoapp.com/root-tutorials/how-to-enable-usb-
de...](https://www.kingoapp.com/root-tutorials/how-to-enable-usb-debugging-
mode-on-android.htm)

~~~
jokoon
Yes it seems to be enabled by default, I disable it from time to time.

At that point there are so many critical security flaw coming up every month
that I don't really bother anymore.

------
therealmarv
It's not the first time a big security/privacy leak was found on OnePlus'
phones. Would stay far away from OnePlus phones.

~~~
shpx
I would stay away from proprietary software, especially if it was written in
Russia or China.

All of their tech companies owe their entire existence to their respective
governments and it's not like the governments set up that environment for them
for free.

~~~
stolho
Sure, and tech companies in USA are super trusted. And for sure no backdoors
are found. Just one of the recent examples when author of Telegram was
"contacted" by USA government during his visit to USA. If you really want to
be honest - you should understand that every government is interesting in
"access" to popular tech tools - laptops, phones, social networks, messengers
and etc.

And it will be really good also to check facts and not yellow press like CNN,
BBC and etc and just bullshit Russia.

Trust is a weakness... Never forget it :)

------
rippsu
on OnePlus One you can install Ubuntu Touch
[https://ubports.com/page/devices](https://ubports.com/page/devices)

~~~
tmikaeld
Except it's not actively developed anymore.

