[bb10adopter111]

Unbelievably, the OnePlus engineering team left a huge backdoor in security that allows anyone with physical access to your phone to easily "get virtually unlimited access to their files and software."

OnePlus Backdoor Means Hackers Could Take Over Your Phone

It's been generally accepted that consumers "don't care about security," but that's mostly because they assume that their products are reasonably secure.

This is a great example of how that's simply not the case. In an environment where security isn't a top priority, it will eventually be compromised for the sake of convenience. In this case, in order to facilitate manufacturing, OnePlus created an "Engineering Mode" with a global password that allows access to everything on a phone. This is a universal backdoor.

Of course, now that it's been revealed, it will be patched, but the fact that nobody at OnePlus bothered to stop it in the first place is the issue. There is clearly no focus on security at OnePlus. In terms of screwups, this is the equivalent of not bolting a wing onto a plane properly during manufacture. It's an egregious error that demonstrates a complete lack of security safeguards.

I'm not saying that only Blackberry is secure. Samsung and Apple both have robust security models, but this illustrates clearly that one should NOT assume that a generic Android phone is secure. The problem here was not with Android itself, but with the implementation of it on the OnePlus phones. And that's the point. HOW Android is implemented varies from device to device, and security must be vigilantly engineered throughout to be effective.

[dastillero1975]

Almost every Android device has a built-in backdoor called Play Store. I worked with an Android apps development team in the past and the revisions Google do to approve the apps that will go in the store are just a joke...
Apple have an edge here as you cannot expect your app approved before 7-10 days most of the time (I'm talking about Spain) while it will take 1-2 days to be approved by Google.
While I like Android because of it openness, I assume that it is an inferior OS security wise compared to iOS, the defunct Windows Mobile and BBOS 10 of course.
It is not fair that makers leave those backdoor exposed (I suspect that almost all of them have some kind of backdoor in their software) but if you chose Android you probably chose the most insecure mobile OS out there.

[Bla1ze]

I'm not saying that only Blackberry is secure.

Should hope not, since the same app is present on BB devices. It's just locked down properly. Go ahead. Look. It's there. lol

[bb10adopter111]

Right. It's an implementation issue. But, like I said, failure to lock it down betrays a very ineffective security culture. This is the problem with the smart phone market. Many manufacturers don't have any kind of comprehensive approach to security. To them they're just making consumer electronics. There's nothing wrong with the existence of "engineering mode." But to secure the phone, it simply can't be accessible to anyone (including the user) post manufacture. Once a phone has been delivered and activated, a thief, spy, spouse, hacker, or disgruntled colleague should not be able to access it without the owner's help. That's Security 101.

[Invictus0]

Someone that avoids a phone over this probably wouldn't get a BlackBerry device either because of their statements on encryption and issues with BBM.

Security just isn't as big a priority as it should be, I wouldn't be surprised if many smartphone owners don't even realize their phones can be easily compromised or put at risk by running older software.

[thurask]

I'm not saying that only Blackberry is secure. Samsung and Apple both have robust security models, but this illustrates clearly that one should NOT assume that a generic Android phone is secure.

Samsung and Apple also have direct competitors to the OnePlus 5T, though. The Motion is a few rungs below the 5T/S8/iPhone on the ladder.

Moreover, as has been said, if this patched vulnerability is reason enough to disqualify OnePlus then BB's past escapades count too.

[bb10adopter111]

Someone that avoids a phone over this probably wouldn't get a BlackBerry device either because of their statements on encryption and issues with BBM.

Security just isn't as big a priority as it should be, I wouldn't be surprised if many smartphone owners don't even realize their phones can be easily compromised or put at risk by running older software.

Blackberry's statements on encryption wouldn't deter an Enterprise customer who has a legal responsibility to retain records and produce them if required by a court. Don't confuse privacy with security. They are often, but not always, related.

Posted with my trusty Z10

[bb10adopter111]

Samsung and Apple also have direct competitors to the OnePlus 5T, though. The Motion is a few rungs below the 5T/S8/iPhone on the ladder.

Moreover, as has been said, if this patched vulnerability is reason enough to disqualify OnePlus then BB's past escapades count too.

Consumer BBM security is not really relevant for business use. No business requiring secure communications would use it. It wasn't a cybersecurity failure by BlackBerry that created the vulnerability. It was a policy of complying with legal requests by law enforcement.

Is that a huge privacy concern? Absolutely. But it's not a security failure. The system was as secure as it was intended to be.

To my knowledge, BlackBerry has never had an egregious cybersecurity failure of any scale because it's always been a priority. That's my point.

And I know consumers don't care, and I honestly don't care what choices individuals make with their own data. That's on them. But security-minded enterprises have to manage real risks, and need to eliminate sloppy companies from their cybersecurity supply chain.

This was a fundamental failure, akin to leaving a door unlocked. No big deal if you go out for a stroll in your neighborhood, but instant termination for an employee at a prison, bank, armory, power plant etc.

Posted with my trusty Z10

[tickerguy]

The BBM issue is in no way related to a handset backdoor left intentionally open by a manufacturer.

That's not an "oops", it's a choice -- to put it in there in the first place, and then not have the auditing procedures so that when you transition from development to production it is not removed.

Sorry, those aren't identical or even in the same league. Never mind that OnePlus was caught before using telemetry that was wildly inappropriate and sending data home to "Momma" -- in CHINA.

That was "patched" too, but only once discovered independently, which again goes to the point -- it was put in there on purpose and was only removed when discovered by third parties.

If you wish to buy handsets from people who intentionally do that sort of thing, be my guest. After all most of you load the Facesucker app on your phone, right? Was that not the entire reason BlackBerry's BB10 handsets didn't find "commercial acceptance"?

We live in a drugged world, and those companies are the ones doing the drugging. Were we to apply the law equally we'd need more wood chippers to insert those people into -- feet first (rhetorically of course) exactly as we do with international drug traffickers.

[Invictus0]

Blackberry's statements on encryption wouldn't deter an Enterprise customer who has a legal responsibility to retain records and produce them if required by a court. Don't confuse privacy with security. They are often, but not always, related.

Posted with my trusty Z10

I think you're underestimating the impact statements and news like that have on enterprise customers, just look at their reception on IT focused publications.

https://forums.theregister.co.uk/for..._water_cooler/

https://www.itworldcanada.com/articl...-reveal/382481

https://www.theinquirer.net/inquirer...-on-encryption

etc

Breaking encryption is in a different league from your examples and one without a consensus. Realistically, IT admins are consumers at heart and with how competitive the device and EMM markets are I'm sure these issues would influence decisions (for or against).

If we're just discussing enterprise users though, I don't see why the OnePlus issue would deter them either as EMM software could disable USB debugging (Knox does it by default IIRC, not sure about others).

The BBM issue is in no way related to a handset backdoor left intentionally open by a manufacturer.

That's not an "oops", it's a choice -- to put it in there in the first place, and then not have the auditing procedures so that when you transition from development to production it is not removed.

It's not intentional that consumer BBM still doesn't use encryption like many of their competitors do? Or issues like this?

http://www.cbc.ca/news/technology/bl...ages-1.3620186

https://www.theregister.co.uk/2012/0...ia_bbn_server/

https://www.theguardian.com/technolo...bia-ban-lifted

Telemetry issues aren't exclusive to OnePlus or Chinese OEM's either, we saw it recently with Microsoft and Windows, it comes up with Google and Android every now and then as well.

[FishhPoohh]

Unbelievably, the OnePlus engineering team left a huge backdoor in security that allows anyone with physical access to your phone to easily "get virtually unlimited access to their files and software."

OnePlus Backdoor Means Hackers Could Take Over Your Phone

It's been generally accepted that consumers "don't care about security," but that's mostly because they assume that their products are reasonably secure.

This is a great example of how that's simply not the case. In an environment where security isn't a top priority, it will eventually be compromised for the sake of convenience. In this case, in order to facilitate manufacturing, OnePlus created an "Engineering Mode" with a global password that allows access to everything on a phone. This is a universal backdoor.

Of course, now that it's been revealed, it will be patched, but the fact that nobody at OnePlus bothered to stop it in the first place is the issue. There is clearly no focus on security at OnePlus. In terms of screwups, this is the equivalent of not bolting a wing onto a plane properly during manufacture. It's an egregious error that demonstrates a complete lack of security safeguards.

I'm not saying that only Blackberry is secure. Samsung and Apple both have robust security models, but this illustrates clearly that one should NOT assume that a generic Android phone is secure. The problem here was not with Android itself, but with the implementation of it on the OnePlus phones. And that's the point. HOW Android is implemented varies from device to device, and security must be vigilantly engineered throughout to be effective.

I
They didn't fix it because the hacker would need to physically have the device in their possession in order to gain access. I personally would have loved to see Blackberry Mobile team up with Oneplus to make a top tier device. The Oneplus 5T with 64gb of storage is going to sell for $479. Add Blackberry's security to it and sell it for $600. Boom, instant hit

Rock'n that Passport SE aka the KeyONE's fat sister

[bb10adopter111]

I
They didn't fix it because the hacker would need to physically have the device in their possession in order to gain access. I personally would have loved to see Blackberry Mobile team up with Oneplus to make a top tier device. The Oneplus 5T with 64gb of storage is going to sell for $479. Add Blackberry's security to it and sell it for $600. Boom, instant hit

Rock'n that Passport SE aka the KeyONE's fat sister

Loss and theft of devices is common. The basic rules of security is that any device not in its owners hands should be absolutely unexploitable. This vulnerability would allow a threat actor to disable theft protection and impersonate the employee, among other things

Root access is fine for enthusiasts who like to tinker or customize their devices, but it's an unacceptable risk in an Enterprise context.

Companies should restrict BYOD devices to a white list of companues with a proven track record on security. Generic Android phones shouldn't be on that list, even with "Android for Work."

Posted with my trusty Z10

[Invictus0]

Lost and theft of devices is common. The basic rules of security is that any device not in its owners hands should be absolutely unexploitable.

In that case Android simply wouldn't be an option for enterprise. If a hacker found an Android device on the ground they'd have a loooong list of vulnerabilities to try,

Google Android : CVE security vulnerabilities, versions and detailed reports

Enterprise would probably be fine with just remotely wiping a device once it's lost instead of assuming it'll be unexploitable. This also ignores that EMM would lock down devices anyway to the point where some exploits (including the one in OP) may not even work.

[bb10adopter111]

In that case Android simply wouldn't be an option for enterprise. If a hacker found an Android device on the ground they'd have a loooong list of vulnerabilities to try,
detailed reports.

Enterprise would probably be fine with just remotely wiping a device once it's lost instead of assuming it'll be unexploitable. This also ignores that EMM would lock down devices anyway to the point where some exploits (including the one in OP) may not even work.

My whole point bus that generic Android IS unacceptable. That is not true for BlackBerry or Samsung devices (and probably for Pixel as well). No one has demonstrated an ability to access a BlackBerry Android phone in that way, and, while Samsung phones can be rooted, doing so blows the Knox "fuse" which cuts of access to all enterprise data.

Also, Enterprise is definitely NOT satisfied with wiping a device, because that can only be done after the device's loss is known. A lot can happen before then. If a skilled mobile phone hacker finds my BB10 or BlackBerry Android on the street, the only thing they could do is try the security 10 times and fail, resulting in a security wipe of the phone.

Not to put too fine a point in it, but while we would never fire an employee for losing a device to theft, we would instantly fire an employee who exposed sensitive data through the theft of a device. Protecting company and client data at all times is part of our BYOD agreement and a key job requirement. We have a zero tolerance policy for employees who allow information to be compromised.


Posted with my trusty Z10

[Ment]

1) Get physical device,
2) turn on USB debugging after getting past FP/pin. Since you already got to 2) you're hosed anyway in terms of security.
3) use adb exploit

I think this is what we call a nothingburger in terms of affecting the end users in device selection.

[bb10adopter111]

1) Get physical device,
2) turn on USB debugging after getting past FP/pin. Since you already got to 2) you're hosed anyway in terms of security.
3) use adb exploit

I think this is what we call a nothingburger in terms of affecting the end users in device selection.

I'm pretty sure the user needs a network administrator to enable USB debugging with Samsung Knox or BlackBerry' Enterprise for "work" resources.

I agree that most Android phones are highly exploitable. That's my point.

End users can buy any device they like, but that doesn't mean their employers should let them all on the network!
Posted with my trusty Z10

[Invictus0]

My whole point bus that generic Android IS unacceptable. That is not true for BlackBerry or Samsung devices (and probably for Pixel as well). No one has demonstrated an ability to access a BlackBerry Android phone in that way, and, while Samsung phones can be rooted, doing so blows the Knox "fuse" which cuts of access to all enterprise data.

Also, Enterprise is definitely NOT satisfied with wiping a device, because that can only be done after the device's loss is known. A lot can happen before then. If a skilled mobile phone hacker finds my BB10 or BlackBerry Android on the street, the only thing they could do is try the security 10 times and fail, resulting in a security wipe of the phone.

I believe wiping a device after 10 wrong password attempts is a stock Android feature now.

Hypothetically assuming the patches haven't been applied, what's stopping someone from hacking BB Android through Android vulnerabilities like BlueBorne, KRACK, or Stagefright? BB Android's main security selling point is root protection (which proved itself with QuadRooter) but in other areas it's vulnerable to the same exploits as a generic device. Android is Android at the end of the day, the real differentiator in this case is monthly patching.

[bb10adopter111]

I believe wiping a device after 10 wrong password attempts is a stock Android feature now.

Hypothetically assuming the patches haven't been applied, what's stopping someone from hacking BB Android through Android vulnerabilities like BlueBorne, KRACK, or Stagefright? BB Android's main security selling point is root protection (which proved itself with QuadRooter) but in other areas it's vulnerable to the same exploits as a generic device. Android is Android at the end of the day, the real differentiator in this case is monthly patching.

Yes, monthly patching is critical, of course. But it's not sufficient if the company implementing Android is ADDING vulnerabilities through lax internal controls and a general lack of concern for security. Securing Android devices requires more than just slapping in the right version of the OS.

Posted with my trusty Z10

[anon(2313227)]

I believe wiping a device after 10 wrong password attempts is a stock Android feature now.

Not sure about that. I forgot pin to htc m9 which is on N. After a while it put a huge delay 30 seconds before you can try again but doesn't wipe. Basically I can probably with time get it if I keep trying theoretically.

I just opted to wipe it instead though via hw reset as I forgot the pin because I loaned it to someone and changed pin to something I don't normally use so they don't know my regular pin.

[Invictus0]

Yes, monthly patching is critical, of course. But it's not sufficient if the company implementing Android is ADDING vulnerabilities through lax internal controls and a general lack of concern for security. Securing Android devices requires more than just slapping in the right version of the OS.

Posted with my trusty Z10

Fair enough and OnePlus should certainly do better in this regard as this isn't the first incident but OEM's are largely reliant on Google to secure Android. There are companies that have forked Android to do it themselves but they miss out on Google services as a result.

Not sure about that. I forgot pin to htc m9 which is on N. After a while it put a huge delay 30 seconds before you can try again but doesn't wipe. Basically I can probably with time get it if I keep trying theoretically.

I just opted to wipe it instead though via hw reset as I forgot the pin because I loaned it to someone and changed pin to something I don't normally use so they don't know my regular pin.

It could be device specific, I'm finding posts about it going back a few years.

https://forums.androidcentral.com/ht...u-get-rid.html

[bb10adopter111]

Fair enough and OnePlus should certainly do better in this regard as this isn't the first incident but OEM's are largely reliant on Google to secure Android. There are companies that have forked Android to do it themselves but they miss out on Google services as a result.



It could be device specific, I'm finding posts about it going back a few years.

https://forums.androidcentral.com/ht...u-get-rid.html

This wasn't a problem with Android. OnePlus didn't bother to shut down access to an app that was used in manufacture. Also, the method for gaining root access was secured with a ridiculously easy global password ("angela" from Mr. Robot) which took the hacker less than three hours to crack.

Posted with my trusty Z10

[tickerguy]

Well, now to be fair my device is on my Exchange server, and I can send a "wipe" command from the Exchange management system. If the phone connects to that server once the request has been made, it wipes immediately.

So yes, there's "lost device" protection in an Exchange environment even without "formal" EMM. But -- if you can get into the device you can remove the account, which of course shuts off that path. Therefore, the question is "can you break into the device and remove the Exchange link before it's known to be compromised or lost?"

If yes, then the so-called security is worthless.

[Dunt Dunt Dunt]

I don't think anyone has a worst track record for security vulnerabilities... than BLU. Yet they still have three of the top selling unlocked smartphones on Amazon in the US.

In the end there is a reason Google and Microsoft send out monthly patches, right or wrong that seems to be enough for most all Android users. But might also be why Apple dominates in enterprise.

This means nothing for BlackBerry.... as they aren't even a consideration for most of enterprise at this point - simply due to the uncertainty (and maybe past track record and no sign that things have changed for the better) and avilablity.

[bb10adopter111]

I don't think anyone has a worst track record for security vulnerabilities... than BLU. Yet they still have three of the top selling unlocked smartphones on Amazon in the US.

In the end there is a reason Google and Microsoft send out monthly patches, right or wrong that seems to be enough for most all Android users. But might also be why Apple dominates in enterprise.

This means nothing for BlackBerry.... as they aren't even a consideration for most of enterprise at this point - simply due to the uncertainty (and maybe past track record and no sign that things have changed for the better) and avilablity.

Most people buying Blu phones aren't connecting them to enterprise networks, and any organizations that allow that sort of generic Android phone to connect to their resources deserve what they get.

But the myth that all Android phones are equivalent from a cybersecurity perspective is just silly. The OS is obviously a critical component, but it's just one component. A company that does not have a large, dedicated cybersecurity analysis and engineering team is not a good candidate for a fleet or BYOD.

Blu, OnePlus, and other "generic" Android manufacturers can be made reasonably secure for general use if their users behave properly. But generic Android is simply not secure enough for most serious professional environments.

Enterprise IT and cybersecurity leaders know this. That's why they prefer Apple and Samsung, both of whom have proven their commitment to security. BlackBerry is also highly qualified in cybersecurity, but, as you say, they don't have the same reputation in 2017.

My point is not that the Motion will sell millions of units because OnePlus screwed the pooch in cybersecurity. It's that the OnePlus fail demonstrates why enterprises shouldn't allow generic Android's on their networks in the mistaken belief that a OnePlus phone is just as secure as Samsung, BlackBerry, Apple, or (possibly Google).

Posted with my trusty Z10

[BigBadWulf]

In that case Android simply wouldn't be an option for enterprise. If a hacker found an Android device on the ground they'd have a loooong list of vulnerabilities to try,

Google Android : CVE security vulnerabilities, versions and detailed reports

Enterprise would probably be fine with just remotely wiping a device once it's lost instead of assuming it'll be unexploitable. This also ignores that EMM would lock down devices anyway to the point where some exploits (including the one in OP) may not even work.

Vulnerabilities abound. Look here, or here for example. You can either live off the grid in a tinfoil house, or stay connected conscious that you need to apply some common sense in both security and behavior.