Hot topics

Beware of fake software updates for OnePlus devices

AndroidPIT oneplus 3t 1356
© nextpit

When's the last time you heard about a fake software update? Well, it seems like OnePlus owners are in for a nasty surprise. Security experts found a security exploit a few weeks ago that allows fake software updates to be installed on OnePlus devices. This piece of malware can downgrade or even completely replace the phone's software. 

If you are using OnePlus One, you should probably refrain from connecting to a public Wi-Fi signal in the near future. The Indian multinational IT services company, HCL Technologies, recently found that some crafty hackers have managed to use public Wi-Fi signals as a channel to transfer a supposed software update onto your phone - which in reality turns out to be a malware ridden Trojan horse. 

A so-called man-in-the-middle attack allows attackers who are connected to the same Wi-Fi signal so send a supposed OTA update to your OnePlus device. This OTA may contain an older version of Oxygen OS, which in turn opens old Android security holes again and thus allows further attacks. A proof-of-concept video shows a successful downgrade.

The vulnerability was discovered primarily because OnePlus delivers the updates to its users unencrypted. Other vulnerabilities in OnePlus' update system allow the firmware to be replaced by an older or a completely different version, for example from Oxygen OS to Hydrogen OS - even if the bootloader of the device is locked.

So what can you do to protect your OnePlus device?

Because the software of the OnePlus 3T, OnePlus 3, OnePlus 2, OnePlus X, and that of the OnePlus One are affected, you won't be able to simply apply the tried and trusted tip: "Do not update your software to the latest Oxygen OS version". This might actually make the problem worse. The current issue can only by fixed by OnePlus by amending its update infrastructure. 

system up to date
How can you be sure that you've downloaded a legitimate update?  / © NextPit

Security experts have explained that by simply taking a few common sense security precautions, you can greatly reduce the risk of receiving this exploit. The first thing you can do to avoid this is not connect to public Wi-Fi networks. You should also enable Full Disk Encryption and Secure Boot. 

 The best gaming monitors at a glance

  Best gaming monitor up to $400 Best gaming monitor up to $600 Best gaming monitor up to $800 Best gaming monitor up to $1,000 Best gaming monitor for consoles
Model
Image LG Ultragear 27GP850P - product image Asus ROG Strix XG27AQ - product image BenQ MOBIUZ EX3210U - product image Asus ROG Swift PG27AQDM - product image Gigabyte M32U - product image
Offers
Go to comment (1)
Eric Ferrari-Herrmann

Eric Ferrari-Herrmann
Senior Editor

Eric has been with AndroidPIT since 2014. He’s writing articles and reviews for the German website. Topics are mostly privacy and new technology but there's also the occasional piece on environmental sustainability.

Liked this article? Share now!
Recommended articles
Latest articles
Push notification Next article
1 Comment
Write new comment:
All changes will be saved. No drafts are saved when editing
Write new comment:
All changes will be saved. No drafts are saved when editing

  • 49
    storm May 15, 2017 Link to comment

    Yet another basic engineering gaffe. "The fail is strong with this one."

    Dwarfer66Deactivated Account