Unlocking a smartphone’s bootloader allows users to do all sorts of things with the device from rooting, flashing custom ROMs, install additional kernels, and many more. Usually though, unlocking a device’s bootloader takes a bit of tinkering with the device and sometimes even requires retrieving a special code from the manufacturer. Right after a smartphone’s bootloader is unlocked though, it is mandatory to wipe the device to clear it of all data. This is to prevent any malicious activity that could occur when the bootloader is unlocked with all the user’s data still present on the device. But a new set of vulnerabilities found on the OnePlus 3/3T have been found that could allow malicious users to not only easily unlock the bootloader of the device without the owner of the device knowing but also do it without having to wipe the device’s data afterwards.
The first of the two vulnerabilities found on the OnePlus 3/3T, which was revealed by Roee Hay (@roeehay), affect devices running on OxygenOS 3.2-4.0.1 and allows a malicious user to unlock the device’s bootloader without user confirmation and without initiating the mandatory factory reset. The second vulnerability, which affects all version of OxygenOS, allows someone to disable dm-verity on the device which will give one access to the device and applications to execute highly privileged code and access highly privileged functions without the user’s consent. The second vulnerability was also disclosed by Mr. Hay but was also discovered by XDA Senior Member th3g1z. The most dangerous aspect of these vulnerabilities is that they can be used in conjunction with each other to access, modify, and even copy user data easily.
Luckily, the first vulnerability has already been patched by OnePlus in its latest update and those already running the incremental OxygenOS 4.0.2 update are no longer affected. But the second vulnerability has yet to be patched although the company has already acknowledged the existence of the vulnerability and that it will fix it in a future update.