A special app has been discovered installed on OnePlus smartphones that, in the hands of a skilled hacker, could allow unauthorized access to the entire device. The app, which is produced by Qualcomm, is known as EngineerMode, and is designed to assist with tests, fault finding, and other prerelease checks while the phone is at the factory. With some code and a password, however, hackers could treat EngineerMode as a “backdoor,” to your phone, making it a serious security problem.
The app was discovered on OnePlus phones by a mobile security researcher on Twitter, who goes by the pseudonym Elliot Alderson (also the name of the main character in USA Network’s hacker series Mr. Robot). With the assistance of researchers at NowSecure, Alderson cracked the password to EngineerMode, demonstrating its weaknesses and the relative ease anyone familiar with the app, and Android’s workings, could gain root access to a OnePlus phone.
EngineerMode has been found on the OnePlus 3, OnePlus 3T, and OnePlus 5 phones. Since the app became widely known, threads have appeared about it on OnePlus’s community forums. Some owners with firewalls installed on their phones report EngineerMode requesting access to the network multiple times per day. Most question why a tool primarily made for prerelease testing is still present on the device after it’s sold.
OnePlus responds to fears
It’s not just OnePlus owners that may have phones with EngineerMode installed, as the Qualcomm tool is likely used by many manufacturers, and has already been found on smartphones produced by Xiaomi and Asus, according to Alderson’s Twitter feed. However, should you be concerned? Does EngineerMode pose a serious security risk?
OnePlus has responded to the situation in a post on its community forums. A member of the OxygenOS — the name given to OnePlus’s version of Android — team wrote:
“Yesterday, we received a lot of questions regarding an apk found in several devices, including our own, named EngineerMode, and we would like to explain what it is. EngineerMode is a diagnostic tool mainly used for factory production line functionality testing and after sales support.
“We’ve seen several statements by community developers that are worried because this apk grants root privileges. While, it can enable adb root which provides privileges for adb commands, it will not let 3rd-party apps access full root privileges. Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require physical access to your device.
While we don’t see this as a major security issue, we understand that users may still have concerns and therefore we will remove the adb root function from EngineerMode in an upcoming OTA.”
It’s not the first time OnePlus has needed to respond to security concerns. In October a data collection program was discovered on OnePlus devices, which the company claimed was used for diagnostic and customer service needs, but owners were automatically enrolled into the program. Changes were made to OxygenOS so owners could opt-out of the data program during setup.
OnePlus is currently preparing to launch the OnePlus 5T, an updated version of its current OnePlus 5, which launched earlier this year.
