A shockingly bad news have been emerged for the OnePlus lovers. On January 26, 2017, a security researcher, “ Roee Hay of Aleph Research “  had discovered four vulnerabilities that affect all OnePlus handsets, including One, X, 2, 3 and 3T.  Roee and his team notified OnePlus team about four different vulnerabilities that they felt needed to be patched. Two of these have been marked as critical (CVE-2017-5948 & CVE-2017-8850) while the other two had their severity marked as high (CVE-2017-8851 & CVE-2016-10370). The team reported these to OnePlus in a responsible manner and with that came a 90-day disclosure deadline. Aleph Research went as far as to even extend this by 14 days, but they are still left unpatched. However, when OnePlus failed to release patches for the issues even after 90 days of responsible disclosure, and 14 days of additional ultimatum, the researcher decided to go public with the details of the vulnerabilities. One of the unpatched vulnerabilities allows Man-in-the-Middle (MitM) attack against OnePlus device users, allowing a remote attacker to downgrade the device’s operating system to an older version, which could then expand the attack surface for exploitation of previously disclosed now-patched vulnerabilities. Let’s see what those vulnerabilities are:

1. OnePlus OTA Lack of TLS Vulnerability: CVE-2016-10370.

Roee Hay have claimed that OnePlus is rolling OS and security update over an unencrypted channel. According to them, OnePlus delivers OTA (over-the-air) updates over HTTP (Hypertext Transfer Protocol) without TLS (Transport Layer Security), enabling many to perform MitM attack on the devices.

2. OnePlus OTA Downgrade Vulnerability: CVE-2017-5948.

This flaw allows a remote attacker to downgrade the operating system of a targeted OnePlus device, either running on OxygenOS or HydrogenOS, to an earlier version that may contain vulnerabilities disclosed previously. Since all the OnePlus OTAs of different ROMs and products are signed by the same digital key, the device will accept and install any OTA image, even if the bootloader is locked.   https://youtu.be/DnHwPQnv3N0 Security Researcher demonstrates how we can exploit CVE-2017-5948 & CVE-2016-10370 in order to downgrade OxygenOS from 4.1.3 to 4.0.0 via MiTM.

3. Same product ROM Crossover (CVE-2017-8850).

This flaw allows a remote attacker to replace any version of OxygenOS on a targeted OnePlus device with any version of HydrogenOS, even on locked bootloaders. This attack is possible because of the fact that both ROMs use the same OTA verification keys.

4. Different product ROM Crossover (CVE-2017-8851).

This flaw, which only affects OnePlus X and OnePlus One, is practically same as the above two, but in this case, a remote MiTM attacker can even replace the OS (Oxygen/Hydrogen) designed for OnePlus X with the OS (Oxygen/Hydrogen) designed for OnePlus One, even on locked bootloaders. This is because both the devices use the same OTA verification keys and share the same ro.build.product system property.  

"That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to the expansion of the attack surface," Hay says. "Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed."

  All this flaws are still unpatched as on September 2017 despite of the fact that the researchers reported to the OnePlus team in January 2017 and then made it public in May 2017. ADVICE:  I would Suggest Oneplus users to avoid connecting to untrusted networks or public Wi-Fi networks as exploitation requires the attacker and the targeted device to be on the same network Source: Aleph Security Found it Interesting? Follow Me Here : Taha Chatriwala Stay Secure ! Stay Happy !!