If you’re the sort of person that likes to load custom ROMs on your smartphone, the ability to load system software without unlocking the bootloader might sound like a good thing. But it also means that anyone with physical access to your device might also be able to load malware.
So when OnePlus was alerted that there’s a vulnerability affecting the OnePlus 6 that lets you flash custom boot images without unlocking the bootloader, the company promised to release a fix via a software update.
On the one hand, this kind of attack is frighteningly easy to implement, because an attacker doesn’t need for the phone’s bootloader to be unlocked or for USB debugging to be enabled.
On the other hand, it is kind of a tough vulnerability to exploit, because the attacker needs physical access to your device so they could connect it to a PC and run the fastboot command necessary to load the modified boot image.
Then again, some people go out of their way to enable USB debugging and to unlock the bootloader specifically because they want to load custom ROMs, kernels, and other system software. So maybe some folks will see this as a feature, not a bug. Just make sure not to let your phone fall into the wrong hands.
Meanwhile, OnePlus acknowledges that the vulnerability exists and says a software update will roll out to address it “shortly.”
The #OnePlus6 allows booting arbitrary images with `fastboot boot image.img`, even when the bootloader is completely locked and in secure mode. pic.twitter.com/MaP0bgEXXd
— Edge Security (@EdgeSecurity) June 9, 2018