oneplus renderOnePlus

OnePlus One launch delayed to fix critical OpenSSL bug

The few lucky early buyers of the OnePlus One CyanogenMod-based handset are still waiting for their phones despite initial promises it would ship in mid- to-late May. OnePlus, the company behind the device, recently sent emails to its small base of early smartphone shoppers, saying the phone software just received a "major update" and the company was "perfecting some final issues."

It wasn't clear what the hold-up was, but now a Cyanogen staffer has stepped forward to shed a little light on the issue. On a Reddit forum posting, CyanogenMod Head Moderator Abhisek Devkota said the new OpenSSL bug that became public last Thursday was to blame.

"We decided to include the correction for those vulnerabilities, in the factory release of the One," Devkota said on Reddit. "A new release means the whole firmware needs to be re-certified (including QA time), but we believe the security benefits outweigh the delay."

Devkota also added that the last minute delay wasn't "due to missing set deadlines or expectations."

The OpenSSL bug Devkota referred to was a critical flaw that could allow man-in-the-middle attacks to decrypt and modify encrypted data transporting via SSL (Secure Sockets Layer) and TLS (Transport Layer Security).

The bug wasn't quite as devastating as the Heartbleed bug discovered in April, but another major flaw further reinforced the OpenSSL Software Foundation's need for financial support. The bug apparently existed in the code for more than 15 years.

The Core Infrastructure Initiative (CII)—a group sponsored by Amazon Web Services, Cisco, Dell, Facebook, Fujitsu, Google, IBM, Intel, Microsoft, NetApp, Rackspace, VMware and The Linux Foundation—recently announced it would give the OpenSSL project enough funds to hire two, full-time core developers.

The OnePlus delay means a longer wait for the few hundred lucky folks slated to get the OnePlus One first. However, fixing a critical security flaw before the phones leave the factory is well worth it and indicates a willingness on the part of OnePlus and Cyanogen to properly serve their customers.

Subscribe to the Best of PCWorld Newsletter

Comments