Breaking: OnePlus 3 and 3T found to contain Vulnerabilities in bootloader!
OnePlus devices are widely known as the alternative to Nexus phones, due to the the fact they are unlocked, has a large following, and they offer various tweaking and tinkering options. Of course, before one starts playing around with rooting, custom ROMs, kernels, and other modifications, you will first have to unlock the bootloader on your device, but it seems, OxygenOS is more open than it needs to be?
Recently, a new set of vulnerabilities was discovered by Roee Hay, a security researcher. He found out that, for the OnePlus 3 as well as the OnePlus 3T, from OxygenOS 3.2 up to 4.0.1, it contains a vulnerability that, by using two native fastboot commands, allows anyone to disable the verified boot feature without actually unlocking the bootloader with the user-accessible command. This meant that a malicious code could be run without even resetting the user data!
Of course, this flaw was already been privately disclosed to OnePlus since late January 2017, so that it can be patched immediately. Hence, users who have already upgraded to the incremental OxygenOS 4.0.2 update will not be affected by one of the vulnerabilities.
For now, if you haven’t been updating your OnePlus 3/3T, we recommend that you update immediately! Getting your device up to Oxygen OS 4.0.2 will patch the first vulnerability, but until OnePlus rolls out an update that patches the second vulnerability, you’re still not fully safe from these exploits.