While the vulnerability might appear to be severe in nature, the researcher points out that it requires physical access to the device, along with a tethered connection to a PC. If the boot image is modified with insecure ADB and ADB has root by default, then an attacker with physical access will have total control over the device. Unlike the situation with the OnePlus 5T where the company accidentally pre-installed an app that acted as a backdoor, this vulnerability is more intrinsic to the OS. Also, this particular exploit does not require the phone to have USB Debugging enabled.
Jason Donenfeld has reported the problem to OnePlus and the company issued a response saying that “We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly.”
While the vulnerability could be classified as a serious lapse in security, thankfully, it requires physical access to the device and a PC connection to gain control of the device. Android smartphones have been dealing with an increased level of scrutiny over the last few months, given the sharp rise in malware, ransomware and even crypto jacking attacks. Given the fragmentation of the Android ecosystem, each manufacturer’s own version of Android can have its own set of vulnerabilities. Since OnePlus has acknowledged the problem, maybe the upcoming OTA update can bring a patch for this particular problem as well.