Update | Security vulnerability discovered in the new OnePlus 6
Update: As promised, OnePlus has released an update addressing the bootloader vulnerability. It comes as the OxygenOS 5.1.7 update and is available to all—bar users in India who'll have to wait for the 5.1.8 update.
OnePlus released the OnePlus 6 last month, and while the device has received mixed reviews, it’s still considered one of the best value flagships on the market. In typical fashion, however, the OnePlus 6 comes with a flaw. Wouldn’t be much of a OnePlus device if it didn’t, in fact.
A new report by XDA has discovered that the OnePlus 6 allows the flashing of unverified boot images, even when the device’s bootloader is locked. Android bootloaders are supposed to prevent the flashing of unsigned images, so it’s a tad confusing how OnePlus let something so basic get past them. Of course, the same company released the OnePlus 5 with an inverted display panel last year, so this may as well be about par.
The vulnerability means that users of the OnePlus 6 don’t have to unlock their bootloaders before tinkering with their devices. On the flip side, it also means that unsavory individuals can just wipe and install whatever image they fancy if they get their hands on a OnePlus 6. The whole process, of course, requires physical access to the device and a computer from which to run the needed commands.
OnePlus has acknowledged the issue and stated that it is working on a security update that closes off the loophole.