Users of OnePlus 3 and OnePlus 3T running on OxygenOS 4.0.2 will be surprised to know that security bugs like CVE-2017-5624 and CVE-2017-5626 on both phones can allow hackers to make use of malicious chargers to slyly access sensitive information without their consent.
Aleph Security has released two videos that demonstrate how the OnePlus 3 and 3T can be hacked. The attack is carried out in such a way that their owners have no clue about it as the hack can be implement in just few seconds when the device is momentarily turned off after connecting a malicious charger.
As it can be seen in the videos, a malicious charger is first connected to OnePlus 3T and within few seconds the device turns off automatically. The attack which is already in progress provides device’s root access by exploiting CVE-2017-5624 and CVE-2017-5626.
The hackers have access to root until the next time the OnePlus 3/3T is rebooted provided that the malicious charger is not plugged on to it. The attack installs a malicious system partition to replace the original one.
The first step of the hack attack provides hackers with access to root, but does not provide prompt access to user data as the partition is unmounted and encrypted. However, it is only after finishing the second step of replacing the system partition by a malicious one by exploiting CVE-2017-5626 that attackers can compromise sensitive information.
By exploiting CVE-2017-5624, hackers can prevent the device from showing warning messages about modification of the system partition. If the bootloader of OnePlus 3 or 3T is unlocked, the malicious charger will not need to exploit CVE-2017-5626.
As of this writing, OnePlus 3 and 3T are the only phones from the Chinese smartphone maker that are vulnerable to the hack demonstrated above. As mentioned before, the attack is only possible on OnePlus 3 and 3T devices that are running on OxygenOS 4.0.2. However, the older OnePlus 2 running on the same OxygenOS 4.0.2 is not vulnerable to the attack. OnePlus was notified about the security exploit by Aleph Security. The latest OxygenOS 4.0.3 carries a patch to fix the problem.