The Hacker News — Cyber Security, Hacking, Technology News

There is a bad news for all OnePlus lovers.

A security researcher has discovered four vulnerabilities that affect all OnePlus handsets, including One, X, 2, 3 and 3T, running the latest versions of OxygenOS 4.1.3 (worldwide) and below, as well as HydrogenOS 3.0 and below (for Chinese users).

Damn, I am feeling bad, I myself use OnePlus.

One of the unpatched vulnerabilities allows Man-in-the-Middle (MitM) attack against OnePlus device users, allowing a remote attacker to downgrade the device’s operating system to an older version, which could then expand the attack surface for exploitation of previously disclosed now-patched vulnerabilities.

What's even worse? The other two vulnerabilities also allow an MitM attacker to replace any version of OxygenOS with HydrogenOS (or vice versa), as well as to replace the operating system with a completely different malicious ROM loaded with spying apps.

The vulnerabilities have been discovered by Roee Hay of Aleph Research, HCL Technologies, who reported them to the company in January this year.

However, when OnePlus failed to release patches for the issues even after 90 days of responsible disclosure, and 14 days of additional ultimatum, the researcher decided to go public with the details of the vulnerabilities, which are described below.

1 — OnePlus OTA Updates Over HTTP: CVE-2016-10370

It's 2017, and you would be shocked to know that one of the popular device manufacturers is sending you OS updates and security patches over an unencrypted channel.

Roee Hay and Sagi Kedmi, who also independently discovered it, claims that OnePlus is delivering signed-OTA (over-the-air) updates over HTTP without TLS, allowing remote attackers to perform MitM attacks.

Since the OTA updates are signed with a digital signature, this bug alone is not sufficient to push malicious updates to the affected devices.

But this weakness facilitates other three below-reported vulnerabilities, which could allow an attacker to defeat the digital signature mechanism as well.

2 — OnePlus OTA Downgrade Attack: CVE-2017-5948

This flaw allows a remote attacker to downgrade the operating system of a targeted OnePlus device, either running on OxygenOS or HydrogenOS, to an earlier version that may contain vulnerabilities disclosed previously.

Since all the OnePlus OTAs of different ROMs and products are signed by the same digital key, the device will accept and install any OTA image, even if the bootloader is locked.
Android devices mostly have a logical code that does not allow users to downgrade their OS, but OnePlus fails here as well. It does not check if the currently installed version of the OS is lower than or equal to the given OTA image.

OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X and OnePlus One are affected by this vulnerability.

The researcher has also published proof-of-concept (PoC) code on GitHub.

3 — OxygenOS/HydrogenOS Crossover Attack: CVE-2017-8850

The second flaw listed above also allows a remote attacker to replace any version of OxygenOS on a targeted OnePlus device with any version of HydrogenOS, even on locked bootloaders.

This attack is possible because “the fact (that) both ROMs use the same OTA verification keys,”

According to the researcher, OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X and OnePlus One are affected by this vulnerability as well.

The researcher has also published proof-of-concept (PoC) for this flaw on GitHub.

4 — OnePlus OTA One/X Crossover Attack: CVE-2017-8851

This flaw, which only affects OnePlus X and OnePlus One, is practically same as the above two, but in this case, a remote MiTM attacker can even replace the OS (Oxygen/Hydrogen) designed for OnePlus X with the OS (Oxygen/Hydrogen) designed for OnePlus One, even on locked bootloaders.

This is because both the devices "use the same OTA verification keys" and "share the same ro.build.product system property."

"That could theoretically allow for exploitation of vulnerabilities patched on one image but not on the other, in addition to the expansion of the attack surface," Hay says. "Moreover, the vulnerability may result in having the device unusable until a Factory Reset is performed."

You can check the proof-of-concept exploit for this vulnerability here.

All the above flaws exist only because OnePlus is not using secure communication for delivering OTA updates, and can be patched easily just by introducing HTTPS/TLS implementation.

Since the exploitation requires the attacker and the targeted device to be on the same network, users are advised to avoid connecting to untrusted or public Wi-Fi networks.

A team of researchers from the University of Michigan discovered that hundreds of applications in Google Play Store have a security hole that could potentially allow hackers to steal data from and even implant malware on millions of Android smartphones.

The University of Michigan team says that the actual issue lies within apps that create open ports — a known problem with computers — on smartphones.

So, this issue has nothing to do with your device's operating system or the handset; instead, the origin of this so-called backdoor is due to insecure coding practices by various app developers.

The team used its custom tool to scan over 100,000 Android applications and found 410 potentially vulnerable applications — many of which have been downloaded between 10 and 50 Million times and at least one app comes pre-installed on Android smartphones.

Here I need you to stop and first let's understand exactly what ports do and what are the related threats.

Ports can be either physical or electronic in nature. Physical ports are connection points on your smartphones and computers, such as a USB port used to transfer data between devices.

Electronic ports are those invisible doors that an application or a service use to communicate with other devices or services. For example, File Transfer Protocol (FTP) service by default opens port 21 to transfer files, and you need port 80 opened in order to connect to the Internet.

In other words, every application installed on a device opens an unused port (1-to-65535), can be referred as a virtual door, to communicate for the exchange of data between devices, be it a smartphone, server, personal computer, or an Internet-connected smart appliance.

Over the years, more and more applications in the market function over the Internet or network, but at the same time, these applications and ports opened by them can be a weak link in your system, which could allow a hacker to breach or take control of your device without your knowledge.

This is exactly what the University of Michigan team has detailed in its research paper [PDF] titled, "Open Doors for Bob and Mallory: Open Port Usage in Android Apps and Security Implications."

According to the researchers, the major issue is with the apps like WiFi File Transfer, which has been installed between 10 million and 50 million times and allows users to connect to a port on their smartphone via Wi-Fi, making it easy to transfer files from a phone to a computer.

But due to insufficient security, this ability of the apps is apparently not limited to merely the smartphone's owner, but also malicious actors.

However, applications like WiFi File Transfer pose fewer threats, as they are designed to work over a local network only, that requires attackers to be connected to the same network as yours.

On the other hand, this issue is extremely dangerous in the scenarios where you connect to a public Wi-Fi network or corporate network more often.

To get an initial estimate on the impact of these vulnerabilities, the team performed a port scanning in its campus network, and within 2 minutes it found a number of mobile devices potentially using these vulnerable apps.

"They manually confirmed the vulnerabilities for 57 applications, including popular mobile apps with 10 to 50 million downloads from official app marketplaces, and also an app that is pre-installed on a series of devices from one manufacturer," the researchers say.

"The vulnerabilities in these apps are generally inherited from the various usage of the open port, which exposes the unprotected sensitive functionalities of the apps to anyone from anywhere that can reach the open port."

No doubt, an open port is an attack surface, but it should be noted that port opened by an application can not be exploited until a vulnerability exists in the application, like improper authentication, remote code execution or buffer overflow flaws.

Besides this, an attacker must have the IP address of the vulnerable device, exposed over the Internet. But getting a list of vulnerable devices is not a big deal today, where anyone can buy a cheap cloud service to scan the whole Internet within few hours.

However, smartphones connected to the Internet via wireless network behind a router are less impacted by this issue, because in that case, attackers would need to be on the same wireless network as the victim.

To prove its point, the team of researchers has also demonstrated various attacks in a series of videos, posted below:

1. Using an app's open ports to steal photos with on-device malware

2. Stealing photos via a network attack

3. Forcing the device to send an SMS to a premium service

The easiest solution to this issue is to uninstall such apps that open insecure ports, or putting these applications behind a proper firewall could also solve most of the issues.