The OnePlus 6 bootloader has a flaw
A locked bootloader is supposed to protect the original software loaded on your phone, preventing you from booting arbitrary or modified images placed on the device. However, a vulnerability with the bootloader on the OnePlus 6
will allow you to boot arbitrary or modified images even if the bootloader is locked. This flaw was discovered by XDA member Jason Donenfeld, who is president of Edge
To take advantage of the vulnerability, a hacker needs to not only have physical access to your OnePlus 6
, he also has to have your phone hooked up with a PC. From there, it is a simple matter of restarting the handset in Fastboot and loading the modified image. Android Police
was able to install the TWRP recovery on a OnePlus 6 even with the bootloader locked. This could allow some ne'er do well to give themselves root access to your device and have his/her way with the handset.
If you're like many of us and you worry about sharing your phone with anyone (including family members) for fear that it will end up with a cracked screen on the floor, drenched from a swim in the toilet, or melted on the stove, you probably shouldn't worry about this too much. After all, this group of smartphone owners usually have their phones on them 24/7, or at least always know where they are at all times.
OnePlus has issued a statement today, stating that it plans on talking to Mr. Donenfeld and promising to issue a software update.
"We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly."-OnePlus