You can add all of the passwords and security features you want to a device but even the smallest of flaws can make them all useless. That appears to be the case with many OnePlus phones including the OnePlus 3, 3T, 5 and 5T. Hackers with physical access to a device can now gain nearly unlimited access by using a debugging tool designed for device manufacturers.
The software, called EngineerMode, appears to have been mistakenly left on the devices. The backdoor was discovered by Robert Baptiste, a freelance security researcher. Security firm NowSecure then assisted in determining the software's password in order to make it usable by anyone.
In an ironic pop culture reference, Mr. Baptiste goes by Mr. Robot protagonist Elliot Alderson on Twitter. The password to unlock EngineerMode is "angela," the name of another character from Mr. Robot.
In a conversation with CNET, Baptiste called the backdoor "quite severe" considering an attacker needs only gain physical access to the device. By entering a few lines of code from a computer, privilege levels are escalated to root.
The tool was designed by Qualcomm who said they are looking into the issue. OnePlus is also aware of the vulnerability and is investigating.