When a charger is connected to a powered off OnePlus 3/3T device, the platform starts
adbd with ADB authorization disabled. Therefore, a malicious charger or a physical attacker can open up, without authorization, an ADB session with the device, in order to further exploit other vulnerabilities and/or exfiltrate information from the device. For example, the malicious charger can reboot the device into the bootloader mode (
fastboot) in order to exploit
fastboot related vulnerabilities, as detailed in the blog post.
The following video shows how a ‘charger’ exploits CVE-2017-5622, CVE-2017-5624 & CVE-2017-5626 for replacing the
system partition in order to install a privileged app. Please note that once the replacement is complete, the victim has no indication that the device has been tampered with: