OnePlus fixes security problem in bootloader OnePlus 6
OnePlus has fixed a vulnerability in the bootloader of the OnePlus 6. The security hole made it possible to flash images without decrypting the bootloader and enabling usb debugging.
OnePlus does not mince words when presenting the solution and only states that the ‘bootloader has been updated for security improvements’. With this update, OxygenOS is at version 5.1.7. The update is currently being “rolled out”, which means it may take longer in some countries than others for the update to actually propagate. Connecting via VPN to a country where the update is already online is an option to bypass the wait.
The vulnerability was discovered by developer zx2c4, who was able to flash a modified image on an OP6 with a secure bootloader. While this makes installing a custom OS easier, it also means that an attacker only needs to have physical access to the phone to get in. There was no need to bypass the lock screen and its security.