SAN FRANCISCO – Hackers who get hold of some OnePlus phones can obtain virtually unlimited access to files and software through use of a testing tool called EngineerMode that the company evidently left on the devices.
Robert Baptiste, a freelance security researcher who goes by the name Elliot Alderson on Twitter after the “Mr. Robot” TV show character, found the tool on a OnePlus phone and tweeted his findings Monday. Researchers at security firm SecureNow helped figure out the tool’s password, a step that means hackers can get unrestricted privileges on the phone as long as they have the device in their possession, CNET.Com reported.
The EngineeerMode software functions as a backdoor, granting access to someone other than an authorized user. Escalating those privileges to full do-anything “root” access required a few lines of code, Baptiste said.
“It’s quite severe,” Baptiste said via a Twitter direct message.
OnePlus disagreed, though it said it’s decided to modify EngineerTool.
“EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support,” the company said in a statement. Root access “is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device. While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb [Android Debug Bridge command-line tool] root function from EngineerMode in an upcoming OTA.”
Baptiste had spotted evidence that EngineerMode was written by mobile chipmaker Qualcomm. But Qualcomm said Wednesday that’s not the case.
“After an in-depth investigation, we have determined that the EngineerMode app in question was not authored by Qualcomm,” the company said in a statement. “Although remnants of some Qualcomm source code is evident, we believe that others built upon a past, similarly named Qualcomm testing app that was limited to displaying device information. EngineerMode no longer resembles the original code we provided.”
This story was published by CNET.Com.