Slashdot Mirror

← Back to Stories (view on slashdot.org)

T-Mobile G1 Rooted

Posted by CmdrTaco on from the that-didn't-take-long dept.

An anonymous reader writes "T-Mobile's G1 phone, the first commercially available Android based phone, has been rooted. The exploit is extremely simple to execute, just requiring you to run telnetd from a terminal on the phone, and then connecting to the phone via telnet."

58 of 246 comments (clear)

  1. Re:Really? by Anonymous Coward · · Score: 3, Funny

    I claim this first root post for Spain!

  2. Rooted? by earthcreed · · Score: 5, Funny

    This just in, all machines that you have root access on rooted! If you have access to run telnetd you already have root.

    1. Re:Rooted? by Anonymous Coward · · Score: 2, Informative

      -- unless it's setuid, of course.

    2. Re:Rooted? by Deadplant · · Score: 5, Funny

      in related news, researchers have discovered that if you open a root console on any flavour of linux and stick the keyboard out a window anyone walking by will be able to gain root access to you machine.

    3. Re:Rooted? by deniable · · Score: 3, Insightful
      More importantly, if you have physical access to the console, all bets are off.

      News Flash

      Houses are rootable. If you unlock your doors and hang out a 'rob me' sign, people can break in.

    4. Re:Rooted? by deniable · · Score: 4, Insightful
      Well, yeah. You did run telnet for them. Why else would you run it? Hasn't it been on the list of don't run services for years now?

      The much better question is: why is there a telnetd on the phone in the first place?

    5. Re:Rooted? by neowolf · · Score: 4, Funny

      Agreed. Non-story. This is just stupid.

      Excuse me sir... I would like to hack into your phone. Could you please type this in for me...

    6. Re:Rooted? by Olix · · Score: 3, Insightful

      To be fair though, lots of people /are/ stupid enough to fall for this kind of thing... consider how well that "I love you" worm or whatever it was did a few years back.

      With the right method, I'm sure you could con people into doing something silly with an Offical-sounding text message, and then exploit it.

    7. Re:Rooted? by Pope · · Score: 3, Insightful

      If the door's unlocked, it's hardly "breaking in," is it?

      --
      It doesn't mean much now, it's built for the future.
    8. Re:Rooted? by Sparr0 · · Score: 4, Insightful

      Because telnetd has some tiny fraction of the system overhead of ssh daemons, even "tiny" ones.

    9. Re:Rooted? by Koiu+Lpoi · · Score: 4, Funny

      I would honestly bet that a house with a rob me sign would not be robbed. Most burglars would feel it's some kind of trick.

    10. Re:Rooted? by Anonymous Coward · · Score: 4, Funny

      That reminds me of the van owner that put up a sign saying 'No tools or valuables inside'

      The next morning it had been broken into and the theives had left a note saying 'Just checking'

    11. Re:Rooted? by Anonymous Coward · · Score: 4, Informative

      And it also works in the other way... you can put your already rooted equipment into any window, and anybody inside that house will be able to gain root access, and also call the
      police

    12. Re:Rooted? by paeanblack · · Score: 5, Informative

      If the door's unlocked, it's hardly "breaking in," is it?

      Yes it is.

      The "Breaking" part of "Breaking & Entering" refers to breaking the plane of entry, not physically damaging anything.

      "Breaking" is not actually a separate action from "Entering". The reason they are used together is for clarity...one word derives from Old English, and the other word derives from French. Writing laws this way was useful when the Normans and Saxons were trying to cohabitate on the same island.

      There are many legal terms constructed the same way:
      Null and void
      Cease and desist
      Last Will and Testament
      Aid and Abet
      Goods and Chattels
      Terms and Conditions
      etc.

    13. Re:Rooted? by Smauler · · Score: 4, Informative

      Erm.... Breaking and entering is exactly what it says. Just entering is call trespassing, and just breaking is called criminal damage. Don't ask me how I know :).

    14. Re:Rooted? by haystor · · Score: 5, Funny

      Clearly, we should avoid using windows.

      --
      t
    15. Re:Rooted? by SnowZero · · Score: 5, Funny

      Null and void

      These are very different things, at least if you are a C programmer.

    16. Re:Rooted? by pete_norm · · Score: 5, Funny

      How do you know?

    17. Re:Rooted? by lysergic.acid · · Score: 4, Funny

      i dunno. tech support operators have a hard enough time walking the average person through how to run ipconfig on their windows PCs. trying to get the average person to open a terminal in Linux to run anything would be like trying to walk a cow down a flight of stairs.

    18. Re:Rooted? by sexconker · · Score: 3, Insightful

      The BEST ringtones!
      The FUNNIEST jokes!
      REAL horoscopes tailored for YOU!

      Sports! Fashion! Celebrity gossip! Keno numbers!

      Just text FAIL to 37528!

      Sign up now and get a free spinning rim background!

      SPECIAL BONUS for G1 owners!
      After texting FAIL to 37528, open up telnet to receive your mystery gift!

      Text FAIL to 37528, TODAY!

    19. Re:Rooted? by Anonymous Coward · · Score: 4, Funny

      No. Needs citation and permanent link to reputable source. We will then run it past the legal department and conduct a full analysis of all facts and observations and, upon filing the requisite forms, of course, only then will we consider your suggestion of "humor". Please allow the standard six to eight weeks for the laugh.

    20. Re:Rooted? by jmorris42 · · Score: 2, Informative

      > Agreed. Non-story. This is just stupid.

      Guess you didn't actually read the material. This shouldn't work but somehow a privledge escalation is allowing a non-root user to invoke telnetd and then to connect from outside and actually get a root shell. So the owner of the hardware is able to break int T-Mobile's software. Oh the horror!

      So far it is more likely to simply get patched instead of developing into a full jailbreak but stay tuned. The camel's nose has entered the tent, it just might be able to get all the way in.

      --
      Democrat delenda est
    21. Re:Rooted? by gv250 · · Score: 2, Informative

      Well, entering is called trespassing when it's a civil offense; it's breaking and entering when it's a criminal offense. paeanblack has it right.

      Not in Illinois. 720 ILCS 5/21-3 says, in relevant part:

      Sec. 21-3. Criminal trespass to real property. (a) ... whoever: (1) knowingly and without lawful authority enters or remains within or on a building ... commits a Class B misdemeanor.

    22. Re:Rooted? by Speare · · Score: 4, Funny

      Your right, dammit. Should be "NULL && void*".

      Wow, that's two languages in which you've completely failed. In less than sixty characters.

      --
      [ .sig file not found ]
    23. Re:Rooted? by ncc74656 · · Score: 2, Informative

      Because telnetd has some tiny fraction of the system overhead of ssh daemons, even "tiny" ones.

      CPU usage for an SSH daemon during an interactive session, while it probably is higher than a telnet daemon, is still low enough (0.005% instead of 0.001%, perhaps?) that it'll most likely get lost in the noise. I have dropbear running on a WRT54GL, and it has no trouble keeping up. The trivial CPU usage is worth the added security. It might crunch a bit more during session setup when it's using public-key encryption to set things up, but IIRC everything else gets shared-key encryption (which imposes much less of a load).

      --
      20 January 2017: the End of an Error.
  3. I haven't followed the whole Android business, but by Loibisch · · Score: 5, Funny

    ...wasn't this supposed to be an open platform anyway? I don't quite get it.

  4. Coral to the rescue by MightyYar · · Score: 3, Interesting

    Coral Cache

    On a side note... a hyphenated domain name! How retro...

    --
    W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
    1. Re:Coral to the rescue by Philosinfinity · · Score: 3, Funny

      It could be worse... I chose a domain name with a double hyphen... aleph--null.com Whenever a web form states that my email address is invalid, i realize my folly just a bit more.

    2. Re:Coral to the rescue by Splab · · Score: 3, Insightful

      I've never understood why so many web programmers insist on parsing E-mail addresses, very few are capable of doing it correctly. I usually use splab+someidentification@mydomain.tld - this way I can track where I submitted the address they got - but since programmers insists on parsing the E-mail address they almost always considers + to be invalid.

      Just send the person a confirmation E-mail and bobs your uncle.

    3. Re:Coral to the rescue by GXTi · · Score: 3, Informative
      I don't understand why placeholder arguments aren't used 100% of the time a string is placed into a SQL query. It's completely baffling. Were that the case, SQL injection attacks would be totally infeasible, excepting even dumber TheDailyWTF-grade scenarios like having clients send SQL to the server. I suspect that PHP doesn't have them (or makes them harder to use), which would explain why it's such a horrible language.

      As for validating emails, check that there's at least one @ and that the part after the final @ has at least one dot in it, and you're good to go. No regular expressions required!

  5. Bad Idea by TheAmit · · Score: 4, Insightful

    Waiting to see how many non-Linux types try this and get in trouble. Its not a good idea to change permissions on sh. All other apps you run on your phone and use sh are now running as root [:)] I would be very scared of this setup. Going to enjoy this

    1. Re:Bad Idea by Philosinfinity · · Score: 2, Funny

      Obviously you've never seen this: http://www.garyshood.com/root/

  6. Wait...so.... by kcbanner · · Score: 3, Insightful

    The user...has to run telnetd...as root...how...how is this an exploit? Maybe its more complex than this but the site is currently 503ing for me.

    --
    Obligatory blog plug: http://www.caseybanner.ca/
    1. Re:Wait...so.... by MrMr · · Score: 3, Informative

      No it's not more complex. The curious bit is that telnetd appears to set uid=0 after login, which allows you to make a setuid root shell.

  7. Re:hmnn? by antifoidulus · · Score: 5, Funny

    Well, its a problem if you are both security conscious AND stupid.... oh how I wish that was a much smaller intersection than it actually is....

    --
    Monstar L
  8. This is like saying... by NitroWolf · · Score: 4, Insightful

    This is like saying something is "bricked" when it's just a bad firmware flash that can be fixed.

    The phone isn't rooted. Rooted means someone gained root access through an exploit and/or installed a root kit. Running telnetd and then connecting as root is a normal method of logging in, no exploits required.

    Or are they saying every UNIX system that has a method of remote access is rooted?

    1. Re:This is like saying... by Anonymous Coward · · Score: 5, Funny

      Well, I found an exploit to alter the root password on Unix systems. It's really simple. You just login or su to root, then run the command 'passwd'. Works every time.

    2. Re:This is like saying... by omeomi · · Score: 4, Informative

      The phone isn't rooted. Rooted means someone gained root access through an exploit and/or installed a root kit. Running telnetd and then connecting as root is a normal method of logging in, no exploits required.

      Well, given that it's a device that isn't designed to be root-accessible by the user, this did require somebody to do something that the manufacturer didn't intend in order to gain root access.

      --
      ZuluPad, the wiki notepad on crack
  9. They left Telnetd on it? by LWATCDR · · Score: 3, Insightful

    What???
    Telnetd is one of those things that should just be deleted from every system that it is on.
    Just use SSH folks.

    --
    See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
  10. Re:I haven't followed the whole Android business, by Sparr0 · · Score: 4, Informative

    Sorry, I fail for not RTFA. They are misusing "rooted", which confused me. "rooted" in the popular [geek] vernacular means that a remote non-admin user can gain root access, such as through a buffer overflow exploit. It has nothing to do with the practice of gaining root access on your own devices.

  11. No, you don't have to run as root first. by Animats · · Score: 4, Informative

    It's apparently weirder than that. Running "telnetd" as an ordinary user apparently allows remote logins as root. This happens even though the "telnetd" executable does not apparently come with permissions set-UID to root. If that's correct, there's a security hole somewhere else that's being used by accident here. Is "login" a set-UID program on Android phones?

    (As a robotics guy, I hate the name "Android" being used for a telephone. It's the worst choice since "U.S. Robotics" which ended up as a modem company.)

    1. Re:No, you don't have to run as root first. by SnowZero · · Score: 3, Interesting

      Just about everyone in the robotics community calls them humanoid robots anyway. "Android" and "droid" are pretty much confined to sci-fi, and by the time we have real androids, I'm pretty sure this phone OS will be a thing of the past. Sure, Ishiguro's current work in this area is pretty interesting, but even those robots are only mistaken for humans from a distance, and they aren't mobile.

    2. Re:No, you don't have to run as root first. by Anonymous Coward · · Score: 2, Funny

      As a robotics guy, I hate the name "Android" being used for a telephone.

      This makes about as much sense as hating Apple because you're a grocery store clerk.

  12. iPod Touch = PDA by SkimTony · · Score: 2, Funny

    That depends on your expansion of "PDA." Have you seen the Apple fanboys making out with their devices in public? I think that counts as PDA as well.

  13. Re:I haven't followed the whole Android business, by Yetihehe · · Score: 4, Insightful

    Better get used to it. First was the "hacker" word, now "rooting".
    What's next, "open"?

    --
    Extreme Programming - Redundant Array of Inexpensive Developers
  14. Collective *gasp* by Zarf · · Score: 2, Funny

    ... everyone ready? one... two... three... *gasp*!!!

    --
    [signature]
  15. Whole lot of stupid going on in these replies .. by Idimmu+Xul · · Score: 4, Insightful

    The point of this exploit isn't so you can remotely hack other people's phones, it's so mobile hackers can get to a lower level than Android permits users to do, which will allow them to flash the phone with unsigned custom updates and what not and customise their phone more.

    People should really read the articles and smarten up.

    --
    The problem with slashdot is that most of its users were bullied and stuffed into lockers as kids!
  16. Re:I haven't followed the whole Android business, by Duradin · · Score: 3, Insightful

    Don't forget "bricked".

    Bricked used to mean you took the piece of equipment out to the firing range for its final trouble "shooting".

    Now it means you just press the reset button.

  17. Re:BUT TEH GOOGEL BE TEH DUNT BE TEH EVEL!!!111!!! by Anonymous Coward · · Score: 2, Funny

    Where is the -1: WTF? mod?

  18. Comment removed by account_deleted · · Score: 5, Funny

    Comment removed based on user account deletion

  19. Re:BUT TEH GOOGEL BE TEH DUNT BE TEH EVEL!!!111!!! by Anonymous Coward · · Score: 2, Funny

    -1: Inbred

  20. Re:Whole lot of stupid going on in these replies . by todrules · · Score: 3, Funny

    People should really read the articles and smarten up.

    You must be new here.

  21. Re:Haha this was such a non-hack... by ColdWetDog · · Score: 2, Interesting

    When I found this I didn't even bother posting it to xda for a couple days thinking it was so obvious that it had to be intentional/known.

    Guess other people were in fact interested!

    Next time, just run out and patent the idea. You could make some money.

    --
    Faster! Faster! Faster would be better!
  22. In addition to... by jonaskoelker · · Score: 5, Funny

    So are Terms and Conditions.

    Terms are the things around your pluses and minuses.

    Conditions (in my interpretation) are expressions of an integral type inside a conditional statement.

    I wouldn't want to handle volatile chemicals or long johns or union jacks if I'm about to get struct bylightning. Happened to me once, a long long time ago.

  23. Re:BUT TEH GOOGEL BE TEH DUNT BE TEH EVEL!!!111!!! by xLittleP · · Score: 2, Funny

    Where is the -1: WTF? mod?

    What are you talking about? That could be a great reason for +1, too!

    --
    When is Slashdot going to add a -1 moderation option for people who actually RTFA?
  24. Re:You missed something important... by Eric+Smith · · Score: 2, Informative

    Android does NOT run everything as root. They have a security model that uses separate user ids for many things, and root for almost nothing. When you start the telnetd, it is as a non-root user, and the telnetd is not setuid. However, when you connect to the telnetd from a telnet client, you get a root shell. Something extremely weird and/or broken seems to be going on in there.

  25. Re:I haven't followed the whole Android business, by I'm+not+really+here · · Score: 2, Informative

    Yes. Microsoft is working on that one: http://www.microsoft.com/opensource/licenses.mspx

    --
    Before commenting on the Bible, please read it first
  26. Re:If you already have root... by amorsen · · Score: 2, Informative

    Does this mean that telnetd is setuid root, or does it mean that you already have to have root to get root?

    Neither. That is why this article is news.

    --
    Finally! A year of moderation! Ready for 2019?