Some smartphones that use Qualcomm chips reportedly come with a hidden backdoor. This was discovered by Robert Baptiste, a mobile security researcher. Baptiste, who goes by the pseudonym Elliot Alderson, the name of the main protagonist and vigilante hacker from the popular TV series Mr. Robot, discovered that smartphones with Qualcomm chips are being shipped and sold with an application called Engineer Mode, Motherboard reports. This has reportedly been going on for years.
The Engineer Mode app is meant to be used for testing, while the smartphone is still in the factory. This app allows anyone with physical access to a smartphone (assuming they have the knowledge) to root a device, accessing everything on it. A few lines of code is all that it takes. And although Engineer Mode is password-protected, someone like Robert Baptiste could easily crack it within minutes.
Initially, only the largest Chinese smartphone manufacturer, OnePlus, was accused of shipping devices with hidden backdoor, but it has since been discovered, by Baptiste and other security researchers, that Motorola, Xiaomi, Lenovo, and Oppo gadgets appear to be similarly compromised. In fact, everyone can check if their gadget has the Engineer Mode application, by accessing Settings, selecting Apps, then Menu and then System Apps.
Earlier this year, security researcher Chris Moore published a report, proving OnePlus devices were collecting sensitive information from users and transmitting it to a dedicated server, along with device serial numbers. This was widely covered by the press, so the Chinese company publicly announced that they will scale back on data collection.
Who’s To Blame?
OnePlus seems to have backpedaled again. An engineer from the company announced in a blog post that the problematic portion of Engineer Mode will be removed with the upcoming system update, but also added that the app does “not let 3rd-party apps access full root privileges.” However, Robert Baptiste told Motherboard that Engineer Mode was left on smartphones with company knowledge.
“This app is a Qualcomm app customized by OnePlus,” he said. In a Twitter DM, Baptiste confirmed that it was indeed OnePlus that coded the backdoor.
A Qualcomm spokesperson said that the company has “determined that the EngineerMode app in question was not authored by Qualcomm, although remnants of some Qualcomm source code is evident.” The American chip manufacturer believes that others have built upon their code.