Tim
According to users on reddit and the OnePlus forums, every time an owner of a OnePlus 3 checks to see if they have an update via the Settings menu, their IMEI is sent to the OnePlus servers in plain HTTP and not HTTPS. Because of this, OnePlus 3 owners on an unsecured network (a coffee shop with public WiFi access point, for example), potentially expose their device’s specific IMEI number to would-be evil doers.
With an IMEI in the hands of someone not so trustworthy, a device could be blacklisted (marked as stolen, lost, etc.) in a carrier’s database, making the possibility of activating it on a network extremely difficult. This action can be reversed by the true owner of a device, but you can imagine it’s not the easiest process to deal with when it involves US carriers.
To sum up what’s happening here, every time you select “check for updates,” a POST request is sent to a specific URL from the OnePlus 3. This request contains the IMEI of the device in the user agent, as well as in a header labeled “imei.”
For this to negatively affect a OnePlus 3 owner, he or she would need to be on an unsecured network, check for an update, and at the same exact time, an individual would need to be fishing for this information on that same network. In the real world, the chances of something like this happening to OnePlus 3 owners seems small, but still, this is plain sloppy work from the folks at OnePlus and should be fixed immediately.
At this time, OnePlus has not addressed this issue, and until a fix is provided (which would most likely require a security update), be sure to only check for software updates while on a secured network.
Collapse Show Comments29 Comments