As reported on XDA Developers, and first noticed by researcher Jason Donenfeld of Edge Security, the bootloader on the OnePlus 6 isn’t as locked down as it should be – that’s the part of the phone’s built-in firmware that stops you replacing the OnePlus OS with whatever else you want to install instead.
It turns out that OnePlus 6 lets you boot any code you like, even when the bootloader is supposedly locked, without having to jump through the usual security hoops first – so a host of malware could be installed and you’d be none the wiser.
To exploit the flaw, someone would need physical access to your phone, a USB cable, and a computer, so this isn’t something you’re going to get hit by while your OnePlus 6 is in your pocket. Nevertheless, it looks like an oversight from the manufacturer.
The phone maker has confirmed in a statement that a fix for the bug is going to be rolling out shortly, but until then don’t let your OnePlus 6 out of your sight. While the chances of someone taking advantage of the exploit are in reality very slim, we’re talking about fundamental Android security measures, so it’s surprising that OnePlus has missed this.
According to reports, OxygenOS 5.1.6 still includes the hack-friendly bootloader, so a patch might be included in OxygenOS 5.1.7. When we get more information on a software update, we’ll let you know.