The Hacker News did up this fancy new graphic for what is ultimately an old problem. That problem? OnePlus doesn’t use a secure channel to deliver OTA updates. Instead of HTTPS or TLS your stock OnePlus device will check for and receive software updates over plain old HTTP.
The specific flaws are as follows:
Exactly what I wrote above, that OnePlus OTAs are not delivered in a secure manner. This flaw makes the next three attacks possible.
An additional fly in the ointment: Because all OTA updates from OnePlus are signed with the same key, it’s possible to disguise a downgrade as an upgrade, making the target less secure.
Because of that shared key it’s also possible to disguise a Hydrogen OS OTA as an Oxygen one, and vice versa.
Again with the shared key… it’s also possible to remotely inject a OTA meant for a OnePlus X onto a OnePlus One, and vice versa.
Keep in mind that for any of this to work the attacker would have to be on the same network as you, and you yourself would have to approve the incoming update on your device. But the fact remains that these vulnerabilities wouldn’t exist at all if OnePlus used HTTP or TLS to check for and deliver updates.
I’ll add to this that the company should also be quicker to update the factory images on their site. I understand and can appreciate their practice of rolling out OTAs by region, but I see too many users on reddit and their forums installing updates from dodgy sources, like some random person’s MEGA account.