OnePlus phones have been getting plenty of bad press lately, thanks to malicious apps found to be factory-installed on a percentage of the devices, along with some intrusive data collection features the manufacturer has installed. As it turns out, though, the story gets worse.
Recently, a security researcher going by the alias "Elliot Alderson" discovered a factory-installed application called "Engineering Mode" that can perform a series of intrusive hardware diagnostic routines, and can even be used to root the device. What's worse is that security flaws in the app make it easy for hackers to exploit.
Alderson believes that the likeliest scenario for the existence of the Engineering Mode application is that it was a diagnostic app installed and used at the factory to test OnePlus phones prior to shipment. Somehow, the app was never uninstalled after the initial testing was completed, exposing OnePlus users to extreme danger of losing control over their devices and any data stored on them.
According to Alderson, all a hacker would need is physical access to the phone. Once he has it in hand, one simple command is all it takes to root the phone. Other researchers have independently verified Alderson's findings. Since he first published them, the company has admitted their mistake and promised to remove Engineering Mode from all OnePlus phones in a future update, although no ETA has given for when that might occur.
If you currently own and use a OnePlus phone, be aware of this and use with caution. Keep on the lookout for the update from the manufacturer which will remove the "feature" for you, but if you'd rather not wait, you can go into the phone's settings and manually remove it.
Physical security of smart devices has always been vitally important, but in the case of the OnePlus, that's doubly true. Keep it close!