Friday, August 26, 2016

Be Warned: Despite Acknowledging the Issue, OnePlus is still Leaking your IMEI when you Check for Updates

The OnePlus One was one of the first Android smartphones that proved that consumers didn’t need to shell out $600+ for a flagship experience. In other words, even at a lower price point you should never settle for purchasing an inferior product.

I can still remember the hype surrounding the specification reveal for the OnePlus One – the company capitalized on the fanaticism displayed by Android enthusiasts when it came to leaks. OnePlus decided to slowly unveil the specifications of the phone one-by-one for a few weeks prior to the official launch – and it worked.

At the time, we salivated over the phone’s use of the Snapdragon 801 with a 5.5″ 1080p display as well as the very enticing partnership with the fledgling startup Cyanogen Inc. (of whom Android enthusiasts were very excited about due to the popularity of CyanogenMod). And then OnePlus dropped the biggest bombshell on us all – the $299 starting price. Only one other phone had truly amazed me for its cost-performance – the Nexus 5 – and the OnePlus One blew it out of the water. I remember many Nexus enthusiasts torn between making an upgrade to the OnePlus One or waiting for the release of the next Nexus.

The OnePlus One Captured the Attention of Nexus Fans that No Other Phone could Entice

The OnePlus One Captured the Attention of Nexus Fans that No Other Phone could Entice

But then OnePlus made a series of decisions that, although some were economically justifiable, killed some momentum for the brand among Android enthusiasts. First it was the controversy surrounding the invite system, then came the controversial advertisements and falling out with Cyanogen, then the company received some hate for the OnePlus 2 release which in many people’s eyes failed to live up to its “Flagship Killer” moniker, and finally there’s the redheaded stepchild OnePlus X smartphone which has only just received Android Marshmallow a few days ago.


Two steps forward, one step back

To OnePlus’s credit, the company was able to rekindle the hype surrounding its products with the OnePlus 3. This time around, OnePlus not only made sure to address many of the grievances reviewers and users had against the OnePlus 2, but even went above and beyond in addressing early review complaints and releasing source code for custom ROM developers. Once again, OnePlus has created a product compelling enough to have me reconsider waiting for the release of the next Nexus phone, and have several members of our staff buy one (or two) for themselves. But there’s one issue that some of our staff are wary about – the software. We’re pretty split on how we use our phones – some of us live on the bleeding edge and flash custom ROMs like sultanxda’s unofficial Cyanogenmod 13 for the OnePlus 3, while others only run the stock firmware on their device. Among our staff, there’s some disagreement about the quality of the recently released OxygenOS 3.5 community build (which we will explore in a future article), but there’s one issue that we all agree on: utter bewilderment at the fact that OnePlus uses HTTP to transmit your IMEI while checking for software updates.

Note the (Redacted) IMEI Included in the HTTP POST Request

Note the (Redacted) IMEI Included in the HTTP POST Request Body

Yes, you read that right. Your IMEI, the number that uniquely identifies your particular phone, is sent unencrypted to OnePlus’s servers when your phone checks for an update (with or without user input). This means that anyone listening in on the network traffic in your network (or unbeknownst to you, while you’re browsing our forums while connected to a public hotspot) can grab your IMEI if your phone (or you) decides it’s time to check for an update.

XDA Portal Team member and former Forum Moderator, b1nny, discovered the issue by intercepting his device’s traffic using mitmproxy and posted about it on the OnePlus forums back on July 4th. After doing some further digging into what was going on when his OnePlus 3 was checking for an update, b1nny found that OnePlus does not require a valid IMEI to offer an update to the user. To prove this, b1nny used a Chrome app called Postman to send an HTTP POST request to OnePlus’s update server and edited his IMEI with garbage data. The server still returned the update package as expected. b1nny made other discoveries regarding the OTA process (such as the fact that the update servers are shared with Oppo), but the most concerning part was the fact that this unique device identifier was being transmitted over HTTP.


No Fix Yet in Sight

After discovering the security issue, b1nny did his due diligence and attempted to contact both OnePlus forum moderators and customer service representatives who might be able to forward the issue up the chain to the relevant teams. A moderator did claim that the issued would be passed on; however, he was unable to receive any confirmation that the issue was being looked into. When the issue was initially brought to the attention of Redditors on the /r/Android subreddit, many were concerned but were confident that the issue would be swiftly resolved. At the XDA Portal, we too believed that the insecure HTTP POST method used for pinging the OTA server for an update would be eventually fixed. The initial discovery of the issue was on OxygenOS version 3.2.1 of the OS (though it could have existed in previous versions as well), but b1nny confirmed with us yesterday that the issue still persists on the latest stable version of Oxygen OS: version 3.2.4.

POST:
User-agent:       UA/ONEPLUS A3003/XXX/OnePlus3Oxygen_16.A.13_GLO_013_1608061823/V1.0.0_20150407
Content-Type:     text/plain; charset=UTF-8
Host:             i.ota.coloros.com
Connection:       Keep-Alive
Accept-Encoding:  gzip
Content-Length:   188
Raw
{"version":"1","mobile":"ONEPLUS A3003","ota_version":"OnePlus3Oxygen_16.A.13_GLO_013_1608061823","imei":"XXX","mode":"0","type":"1","language":"en","beta":"0","isOnePlus":"1"}

ANSWER:
Server:        nginx
Date:          Wed, 24 Aug 2016 18:20:24 GMT
Content-Type:  application/json;charset=UTF-8
Connection:    keep-alive
X-Server-ID:   hz0231
No content

However, with the recent release of the OxygenOS 3.5 community build we were again curious to see if the issue persisted. We reached out to OnePlus regarding this issue and were told by a spokesperson from the company that the issue had indeed been patched. However, we had one of our portal members flash the latest community build and use mitmproxy to intercept his OnePlus 3’s network traffic, and to our surprise we discovered that OxygenOS was still sending an IMEI in the HTTP POST request to the update server.

POST http://ift.tt/29kOs9d HTTP/1.1
User-Agent: com.oneplus.opbackup/1.3.0
Cache-Control: no-cache
Content-Type: application/json; charset=utf-8
Host: i.ota.coloros.com
Connection: Keep-Alive
Accept-Encoding: gzip
Content-Length: 188
Raw
{"version":"1","mobile":"ONEPLUS A3000","ota_version":"OnePlus3Oxygen_16.X.01_GLO_001_1608221857","imei":"XXX","mode":"0","type":"0","language":"en","beta":"0","isOnePlus":"1"}

This, despite the apparent confirmation that the issue was resolved deeply worries us at XDA. It doesn’t make sense for OnePlus to use HTTP to send a request to its servers, if all they want to do is use our IMEI for data mining purposes then they could probably do so in a much more secure method.


IMEI Leaks and You

There’s nothing substantially dangerous about your IMEI leaking over a public network. Although it uniquely identifies your device, there are other unique identifiers that could be used maliciously. Applications can request access to see your device’s IMEI quite easily. So what’s the issue? Depending on where you live, your IMEI could be used to track you by the government or a hacker who is apparently interested enough in you. But those aren’t really concerns for the average user.

The biggest potential issue could be illicit uses of your IMEI: including but not limited to blacklisting your IMEI or cloning the IMEI to be used on a black market phone. If either scenario occurred, it could be a massive inconvenience to dig yourself out of this hole. Another potential issue is regarding applications that still use your IMEI as an identifier. Whatsapp, for instance, used to use an MD5-hashed, reversed version of your IMEI as your account’s password. After looking around online, some shady websites claim to be able to hack Whatsapp accounts using a phone number and IMEI, but I cannot verify them.

Still, it’s important to safeguard any information that uniquely identifies you or your devices. If privacy issues are important for you, then this practice by OnePlus should be concerning. We hope that this article serves to inform you about this potential security implications behind this practice, and to bring this situation to OnePlus’s attention (once more) so that it may be fixed promptly.

HostGator Web Hosting

0 comments:

Post a Comment