Regardless, the fact that the attacker would
need physical access to the device in order to gain root access to it via EngineerMode means that the existence of the diagnostics tool isn't considered a major security vulnerability by OnePlus, especially since not even that scenario would allow for backdoor root privileges to be granted to potentially malicious apps.
«That means that anyone
with physical access to the device — either an intruder or an insider — could connect the devices one by one to a computer and install malicious applications,» he told LinuxInsider.
OnePlus has taken the steps to rectify these gaps, and the Engineer Mode flaw in particular is only particularly damaging if an attacker is able to
gain physical access to your device and get past your lock screen — which would be cause for concern no matter what phone you're using.
Essentially, an attacker would need
physical access to the device to easily achieve root access and execute malicious code or commands, making this one of the less terrible vulnerabilities that we've seen.
In a blog post, the company reiterates that this exploit can only be utilized if an attacker has
physical access to the device and has enabled USB Debugging.
This exploit doesn't allow for a malicious app to grant itself root access, though, so unless someone has
physical access to your device to set up ADB, then you're safe from exploitation.
The trick here is that this code will only be sent to your cell phone, meaning no one can get into your Google account without having
physical access to your device.
Security researchers found that, with
physical access to the device, an attacker could hack an Amazon Echo and capture the raw microphone input, steal Amazon authentication tokens, and more.
Your PIN or password protects access to your Android device, and unlocking the bootloader opens holes that allow people with
physical access to your device to bypass your PIN or password.
But, if someone has
physical access to your device and wants to bypass the password, there's nothing you can do to stop them.
Additionally, adb root is only accessible if USB debugging, which is off by default, is turned on, and any sort of root access would still require
physical access to your device.
According to Rashid, the exploit does not necessarily rely on the attacker having
physical access to the device, as was initially believed by Ledger.