The IT Nerd

There were rumors of this for several days last week, and now I can confirm that the OnePlus website has been pwned by hackers with the confirmation coming form OnePlus itself. The impact is that 40,000 customers may have had credit card info swiped from the site by hackers. To be more specific, anyone who made a purchase on the OnePlus website between November 2017 and 11 January 2018 may be at risk. However if you paid via PayPal, or paid with previously saved credit card details, you’re likely fine. If that’s you, OnePlus will serve up the usual  year of credit monitoring service for free. And you should check your bank statements for any suspect charges as that is how this came to light. Oh yeah, if you want a OnePlus phone right now, you better have a PayPal account as credit card payments are suspended for the time being..

If you own a OnePlus phone, then it is entirely possible that you phone could be open to pwnage as there’s an app on it that allows people to have root access (or complete access to do whatever one wants). Here’s the details:

The app was discovered by a mobile security researcher who goes online by the pseudonym of Elliot Alderson — the name of the main character in the Mr. Robot TV series.

Speaking to Bleeping Computer, the researcher said he started investigating OnePlus devices after a story he saw online last month detailing a hidden stream of telemetry data sent by OnePlus devices to the company’s servers.

The researcher, who also owns a OnePlus 5 device, started investigating the company’s OS by first looking at the source code of OpDeviceManager, the app that was responsible for the telemetry collection.

“As expected OPDeviceManager does pretty nasty things, so I continued to dig into the OnePlus apps,” the researcher said.

“After a while, I found this EngineerMode app. It was just a question of time before I found something interesting in it,” Alderson said.

He goes on to say that a clever hacker could leverage this to pwn the phone, launch malware attacks, enlist the phone into a botnet, etc. And he says there’s “more” to come in terms other potential threats that exist on most if not every OnePlus device.

That’s not good.

The company has said it’s looking into these claims, but seeing as other security researchers have confirmed these findings, and the tech media is picking up this story, OnePlus will have to do more than look into this. They’ll have to come up with a robust explanation as to why this phone has all of this present and what they are going to do about it to ensure the security of their users.

UPDATE: Apparently OnePlus is going to yank this backdoor in a future over the air update. Though they “don’t see this as a major security issue.” Details here.

Users on Reddit are reporting on a problem that seems kind of troubling. Apparently if you own a OnePlus 5 and if you dial emergency services in the UK via 999 or do the same thing in the US or Canada which is 911, your phone will reboot. One user even took to Facebook to show the fail in action. I for one don’t recommend that you try this at home as the authorities get kind of upset when you needlessly dial your local emergency services.

For its part OnePlus has been spreading the word that they’re working with customers individually to solve the issue. That kind of implies that there is a bug that they need to fix. If you’ve tripped over this, send an email to support@oneplus.net to start the process to get you sorted.