Beware of fake software updates for OnePlus devices
When's the last time you heard about a fake software update? Well, it seems like OnePlus owners are in for a nasty surprise. Security experts found a security exploit a few weeks ago that allows fake software updates to be installed on OnePlus devices. This piece of malware can downgrade or even completely replace the phone's software.
If you are using OnePlus One, you should probably refrain from connecting to a public Wi-Fi signal in the near future. The Indian multinational IT services company, HCL Technologies, recently found that some crafty hackers have managed to use public Wi-Fi signals as a channel to transfer a supposed software update onto your phone - which in reality turns out to be a malware ridden Trojan horse.
A so-called man-in-the-middle attack allows attackers who are connected to the same Wi-Fi signal so send a supposed OTA update to your OnePlus device. This OTA may contain an older version of Oxygen OS, which in turn opens old Android security holes again and thus allows further attacks. A proof-of-concept video shows a successful downgrade.
The vulnerability was discovered primarily because OnePlus delivers the updates to its users unencrypted. Other vulnerabilities in OnePlus' update system allow the firmware to be replaced by an older or a completely different version, for example from Oxygen OS to Hydrogen OS - even if the bootloader of the device is locked.
So what can you do to protect your OnePlus device?
Because the software of the OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X, and that of the OnePlus One are affected, you won't be able to simply apply the tried and trusted tip: "Do not update your software to the latest Oxygen OS version". This might actually make the problem worse. The current issue can only by fixed by OnePlus by amending its update infrastructure.
Security experts have explained that by simply taking a few common sense security precautions, you can greatly reduce the risk of receiving this exploit. The first thing you can do to avoid this is not connect to public Wi-Fi networks. You should also enable Full Disk Encryption and Secure Boot.
Yet another basic engineering gaffe. "The fail is strong with this one."