If you’re the sort of person that likes to load custom ROMs on your smartphone, the ability to load system software without unlocking the bootloader might sound like a good thing. But it also means that anyone with physical access to your device might also be able to load malware.

So when OnePlus was alerted that there’s a vulnerability affecting the OnePlus 6 that lets you flash custom boot images without unlocking the bootloader, the company promised to release a fix via a software update.

On the one hand, this kind of attack is frighteningly easy to implement, because an attacker doesn’t need for the phone’s bootloader to be unlocked or for USB debugging to be enabled.

On the other hand, it is kind of a tough vulnerability to exploit, because the attacker needs physical access to your device so they could connect it to a PC and run the fastboot command necessary to load the modified boot image.

Then again, some people go out of their way to enable USB debugging and to unlock the bootloader specifically because they want to load custom ROMs, kernels, and other system software. So maybe some folks will see this as a feature, not a bug. Just make sure not to let your phone fall into the wrong hands.

Meanwhile, OnePlus acknowledges that the vulnerability exists and says a software update will roll out to address it “shortly.”

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.