June 13, 2017

All OnePlus Devices Vulnerable to OS Downgrade Attacks Due to 4 Unpatched Flaws

The OnePlus devices with the latest version of the software available are vulnerable to attacks that can downgrade the phone’s operating system and expose the device to previously patched security flaws.

A security researcher, Roee Hay of Aleph Research, HCL Technologies, has discovered four trivial vulnerabilities that affect all OnePlus handsets (One/X/2/3/3T), running the latest versions of OxygenOS 4.1.3 and below, as well as HydrogenOS 3.0 and below. OxygenOS and HydrogenOS are custom versions of the Android OS running on OnePlus phones.

All OnePlus Devices Vulnerable to OS Downgrade Attacks Due to 4 Unpatched Flaws (1)

According to Hay, the vulnerabilities allow for a Man-in-the-Middle (MitM) attacker to intercept the OTA update request and replace it with an older version of the software, allowing for exploitation of now-patched vulnerabilities. This wouldn’t cause the phone to factory reset either, and it could then open your phone up to even more vulnerabilities since you would then be on older software.

Hay discovered the vulnerabilities and reported the problems to OnePlus in January this year, but the company failed to address any of the issues.

When OnePlus failed to patch these security issues after 90 days of responsible disclosure, and another 14 days of additional ultimatum, the researcher decided to publish the details of the vulnerabilities publicly, which are described below.

Vulnerabilities Details:

1. CVE-2016-10370: OnePlus OTA Updates Over HTTP

OnePlus pushes the signed-OTA over HTTP, thus it enables a trivial MiTM attack.

Hay and Sagi Kedmi, who also independently discovered it, claims that OnePlus is delivering signed-OTA updates over HTTP without TLS, allowing remote attackers to perform MitM attacks. That means, an attacker can launch an attack and hijack the OnePlus phone’s OTA update process, which is susceptible to man-in-the-middle (MitM) attacks because it’s handled via HTTP instead of HTTPS.

Since the OTA updates are signed with a digital signature, this bug alone is not sufficient to push malicious updates to the affected devices. But this weakness facilitates other three below-reported vulnerabilities, which could allow an attacker to defeat the digital signature mechanism as well.

2. CVE-2017-5948: OnePlus OTA Downgrade Attack

Allows a remote attacker to downgrade the operating system of a targeted OnePlus device, either running on OxygenOS or HydrogenOS, to an earlier version that may contain vulnerabilities disclosed previously.

Since all the OnePlus OTAs of different ROMs and products are signed by the same digital key, the device will accept and install any OTA image, even if the bootloader is locked.

Android devices mostly have a logical code that does not allow users to downgrade their OS, but OnePlus fails here as well. It does not check if the currently installed version of the OS is lower than or equal to the given OTA image.

OnePlus One/X/2/3/3T are affected by this vulnerability.

The video below shows Hay performing the OS downgrade attack.

3. CVE-2017-8850: OxygenOS/HydrogenOS Crossover Attack

Attackers can install HydrogenOS over OxygenOS and vice versa, on a targeted OnePlus device, even on locked bootloaders.

That means an attacker could install OxygenOS on devices designed to support HydrogenOS, the precursor of OxygenOS (In some cases, installing the superior OS on an older product would lead to crashes or a permanent denial of service). This attack is possible because of the fact (that) both ROMs use the same OTA verification keys.

OnePlus One/X/2/3/3T are affected by this vulnerability.

4. CVE-2017-8851: OnePlus OTA One/X Crossover Attack

Attackers can install OTAs of one product over the other, even on locked bootloaders.

This flaw, which only affects OnePlus X and OnePlus One, is practically same as the above two, but in this case, a remote MiTM attacker can even replace the OS (Oxygen/Hydrogen) designed for OnePlus X with the OS (Oxygen/Hydrogen) designed for OnePlus One, even on locked bootloaders. This is because both the devices “use the same OTA verification keys” and “share the same ro.build.product system property.”

All the above flaws exist only because OnePlus is not using secure communication for delivering OTA updates, and can be patched easily just by introducing HTTPS/TLS implementation.

Since the exploitation requires the attacker and the targeted device to be on the same network, users are advised to connect only to trusted Wi-Fi networks.

You can check the proof-of-concept exploit for the above vulnerabilities here.

About the author 


{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}