Hot topics

Beware of fake software updates for OnePlus devices

AndroidPIT oneplus 3t 1356
© nextpit

When's the last time you heard about a fake software update? Well, it seems like OnePlus owners are in for a nasty surprise. Security experts found a security exploit a few weeks ago that allows fake software updates to be installed on OnePlus devices. This piece of malware can downgrade or even completely replace the phone's software. 

If you are using OnePlus One, you should probably refrain from connecting to a public Wi-Fi signal in the near future. The Indian multinational IT services company, HCL Technologies, recently found that some crafty hackers have managed to use public Wi-Fi signals as a channel to transfer a supposed software update onto your phone - which in reality turns out to be a malware ridden Trojan horse. 

A so-called man-in-the-middle attack allows attackers who are connected to the same Wi-Fi signal so send a supposed OTA update to your OnePlus device. This OTA may contain an older version of Oxygen OS, which in turn opens old Android security holes again and thus allows further attacks. A proof-of-concept video shows a successful downgrade.

The vulnerability was discovered primarily because OnePlus delivers the updates to its users unencrypted. Other vulnerabilities in OnePlus' update system allow the firmware to be replaced by an older or a completely different version, for example from Oxygen OS to Hydrogen OS - even if the bootloader of the device is locked.

So what can you do to protect your OnePlus device?

Because the software of the OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X, and that of the OnePlus One are affected, you won't be able to simply apply the tried and trusted tip: "Do not update your software to the latest Oxygen OS version". This might actually make the problem worse. The current issue can only by fixed by OnePlus by amending its update infrastructure. 

system up to date
How can you be sure that you've downloaded a legitimate update?  / © NextPit

Security experts have explained that by simply taking a few common sense security precautions, you can greatly reduce the risk of receiving this exploit. The first thing you can do to avoid this is not connect to public Wi-Fi networks. You should also enable Full Disk Encryption and Secure Boot. 

 The Best Portable Projectors in 2024

  The best choice The best value for money The best for less The all-rounder The challenger The best laser TV
Product
Image Xgimi Halo+ Product Image Dangbei Neo Product Image Technaxx TX-127 Product Image Samsung Freestyle Product Image Nebula Anker Capsule 3 Laser Product Image Formovie Theater Product Image
Offers

To find out more, browse through our comprehensive Portable Projectors buying guide.

Go to comment (1)
Eric Ferrari-Herrmann

Eric Ferrari-Herrmann
Senior Editor

Eric has been with AndroidPIT since 2014. He’s writing articles and reviews for the German website. Topics are mostly privacy and new technology but there's also the occasional piece on environmental sustainability.

To the author profile
Liked this article? Share now!
Recommended articles
Latest articles
Push notification Next article
1 Comment
Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • 49
    storm May 15, 2017 Link to comment

    Yet another basic engineering gaffe. "The fail is strong with this one."

    Dwarfer66Deactivated Account