Bug In Android Passes Keystrokes To Root Shell

pasokon writes "ZDNet reports on an Android bug in T-Mobile G1s with early versions of the firmware: 'When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. ... open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: (enter)-r-e-b-o-o-t-(enter). Poof, your phone will reboot.'"

This is simply mind-boggling.

[jcr]

I can't imagine how or why anyone could accidentally pipe all user input through a root shell. This is one for the WTF of the decade.

-jcr

Re:This is simply mind-boggling.

[Otto]

Read this:
http://android.jim.sh/index.php/ConsoleShell

Looks like debugging code left behind...

Re:This is simply mind-boggling.

[ultramk]

This is obviously bad for Apple. I mean if the iPhone weren't all like, locked down, and, um....

Yeah, anyway, the iPhone is done for, no question. I mean you can't even GET to root shell on an iPhone, and here it is a standard feature on Android! Mind-boggling indeed!

Re:This is simply mind-boggling.

[SharpFang]

I can perfectly well imagine someone purposely piping all the user input to root shell for easy debug and development, then forgetting to disable it in the release version.

Re:This is simply mind-boggling.

A better way would be to require holding down e.g. "c" during boot to enable it. Automatically sending ALL keystrokes to the console is a bad idea, even for debugging.

Re:This is simply mind-boggling.

[hummassa]

my_iPhone$ su -
Password:alpine
my_iPhone#

You are waaayyy late :-)

Re:This is simply mind-boggling.

[tyler_larson]

Verified this still works on the latest OTA update, RC29.

Re:This is simply mind-boggling.

[tyler_larson]

If you want to keep from fubar-ing your G1 by typing in the wrong stuff accidentally, just type "cat [enter]" first thing when you power on the device, and it will be defused from then on. All input will be harmlessly filed away to stdout.

Re:This is simply mind-boggling.

[JackassJedi]

Yeah the iPhone is really dead now. Apple totally blew it, I agree. It's totally done for. This is a total misfeature: a hidden root shell!
BTW what's this 'Android' you're talking about?

Re:This is simply mind-boggling.

[RzUpAnmsCwrds]

The latest OTA update is RC30, which patches the issue (I confirmed this on my G1).

Re:This is simply mind-boggling.

[BitZtream]

So could I, and I'd damn will fire that person in an instant. You a key combo or something at startup to trigger such actions, not do it by default.

You also make sure these things don't ever make it into production builds using #ifdef's or whatever java's flavor is.

This is simply unacceptable for a product like this, not one, but several people should be walking out the door right now for letting this A) happen and more importantly B) slip through the cracks of the QA/Release cycle.

Re:This is simply mind-boggling.

[stwf]

well of course it was debug code left in by mistake. The real question is how does debug code like this get in there without clear processes in place to make sure it never gets released to the public.

I'll chalk it up to google growing pains since its the fist product they've ever shipped (yes I'm ignoring those indexing boxes they sell). Selling an OS that runs locally is alot different then deploying server based apps.

So hopefully they see this as a wakeup call and create some release protocols. Otherwise this is going to be a rocky road for them

Re:This is simply mind-boggling.

[tyler_larson]

You mean defused until you type Control-z, Control-d or Control-c, right?

Nope. I really do mean from then on. Read the various write-ups to understand why.

And for bonus points, see if you can find your phone's "control" key.

Re:This is simply mind-boggling.

[darkpixel2k]

You mean defused until you type Control-z, Control-d or Control-c, right?

Uuh...how often do you type those key combos into your phone??

Re:This is simply mind-boggling.

[darkpixel2k]

If you want to keep from fubar-ing your G1 by typing in the wrong stuff accidentally, just type "cat [enter]" first thing when you power on the device, and it will be defused from then on. All input will be harmlessly filed away to stdout.

Wait--you're missing the big picture.
Jailbreak the phone!

Woo! We now have root access! We can hax0r the phone and load our own custom applic...what? Oh. Shit. Wrong phone. I'll wait for the next iPhone article.

Re:This is simply mind-boggling.

[AC-x]

Somebody needs to check the source control history for init.c and then give a certain someone a damn good thrashing!

Re:This is simply mind-boggling.

[drinkypoo]

for bonus points, see if you can find your phone's "control" key.

Even if it had one, why would they enable job control in a debugging root shell on an embedded device? The #1 most useful thing to do with it is going to be to run the debugger, anyway.

Re:This is simply mind-boggling.

[BlueTrin]

I think what the guy who posted above you meant, is that "I can see why a system developer would implement this", not "I see why an application developer would do this".

Re:This is simply mind-boggling.

[badkarmadayaccount]

I use emacs on the iPhone, you insensitive clod!

PS: I'm not a very +1 Funny guy, but I consider myself +1 Insightfull [/karmawhore]

Re:This is simply mind-boggling.

[darkpixel2k]

I use emacs on the iPhone, you insensitive clod!

PS: I'm not a very +1 Funny guy, but I consider myself +1 Insightfull [/karmawhore]

I just have to know...how do you do the butterfly key in emacs on your iphone..?

Re:This is simply mind-boggling.

[badkarmadayaccount]

With a lot of caffeine.... *meth-head empty stare* Boy, I'm lonely...

Uh oh

[areusche]

So would typing:

Enter shred -vfz -n 100 /dev/hda

Do what I think it would do?

Re:Uh oh

[Daimanta]

I am typing this from my Android. I have tried this and I don't have any pr
NO CARRIER

Re:Uh oh

Maybe you should try this one:
enter rm -Rf / enter

Just to be sure.

Re:Uh oh

I like seeing some funny comments once in a while. But I have seen that joke 100s of times before. It is not funny anymore.

Re:Uh oh

[AmberBlackCat]

Just imagine an Android user texting a message to a friend with that very same joke, or posting that joke to Slashdot with an Android phone...

Re:Uh oh

[Legion_SB]

But it's going to get funny again, when a bunch of kids who have never even heard of dial-up modems start asking WTF a "NO CARRIER" is.

Re:Uh oh

An accurate description of the Swiss navy. Next?

Re:Uh oh

[Maznio]

It wouldn't do much.
From the page posted above by Otto:

It won't be 100% reliable, because:
        * Keys like Alt aren't mapped, so you can't type slashes.

Scary

Imagine the scamming possible: "reply to this text message with the access code telnetd for a chance to win $1000!"

Re:Scary

rm -rf / would not work. The key binding to type / (alt-another key) on the G1 is not recognized by the console.

Re:Scary

[enjo13]

Unless you open the phone via something like telnet. Theres a simple piece of social engineering here. Come up with a sob story about how you need to make a phone call and you don't have a phone. Find a kind G1 owner to let you borrow theres to make a call. Have a friend distract them.Quickly run the exploit and open up remote access...

You could potentially download a little thing that calls home to help you locate the phone on the network, and get pretty much whatever you want off of it and since it's a keylogger that might include passwords.

This is identical to a fairly widespread attack in which someone 'borrows' your phone and then signs you up for some premium SMS service that charges you for a stupid joke every day or something like that.

Re:Scary

[wikinerd]

I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course

My cat has the stupid tendency to suddenly jump onto keyboards, often where the enter key is located. You are must be happy not to have a cat like that.

Re:Scary

[bendodge]

Of course, if you did, it would have served you right.

Confluence

[RomSteady]

Suddenly, the memory-and-keystroke-saving command names of the past combine with the keystroke-saving text-speak of the present to create the nightmarish user interaction bugs of the future.

Re:Confluence

[Anpheus]

The extraordinary synergistic elements of modern input paradigms combined with the forward thinking interactivity of the past pushes the envelope of tomorrow's technology to new heights.

Re:Confluence

[aztektum]

Fuck, that made my brain hurt. Watch it, along with /vertisements, they're seeding the comments section with marketroids.

Re:Confluence

I don't know what you're selling, but I'd like to buy it.

Yours,
The manager

Re:Confluence

[hitmark]

quick to the nerf-guns!

http://www.hasbro.com/nerf/default.cfm?page=viewproduct&product_id=22378

Re:Confluence

[jonaskoelker]

You forgot "2.0"

reboot

doesn't wo

Open source, remember? fix already out

[dnwq]

From TFA:

If you see anything later than RC29 then you already have the fix.

Because Android is open source, the problem was quickly tracked down by users to a couple lines in the system file init.rc. My guess is that this was accidentally left in during device debugging.

Re:Open source, remember? fix already out

[Halborr]

Ah, the beauty of FOSS.

Re:Open source, remember? fix already out

[Khyber]

Bingo - You won't see this sort of turnaround time for a fix for the iPhone.

and this is why FOSS is a champion to me - the community fixes the issue and everyone else can check the fix to make sure it's not malicious.

And this is why all gov't entities in the USA should use FOSS. The people/community as a whole can do a better job of keeping the government secure than corporations can.

Re:Open source, remember? fix already out

[git68]

I am not a programmer but debugging by piping all keyboard input to a root shell, wtf?!

Re:Open source, remember? fix already out

[topham]

I am a programmer and I am entirely and absolutely dumb-struck by this revelation.

That is absolutely the most asinine debug method I have ever head and I am seriously wondering if it was an intentional backdoor.
Never, Ever send random commands to a shell. Hell, we are talking a unix base, there are hundreds, of not thousands of 2 and 3 letter functions which do 'something' and a significant number of them are not harmless. I realize the phone is not likely to have all of them, but it will have a number of them. 'rm' being a good example.

Re:Open source, remember? fix already out

[rivetgeek]

yes but typing 'rm' just prompts for an argument. what are the chances someone would accidentally type 'rm -rf *'

Re:Open source, remember? fix already out

[i.of.the.storm]

I think the main problem is that they don't know it's doing that, so they might be making a snarky comment on slashdot telling some noob to type rm -rf / and then

Re:Open source, remember? fix already out

[harry666t]

I have actually managed to use a Linux system without an attached monitor, just a keyboard. I've been writing commands blindly and using "foo && python -c 'print chr(7)'" and alike to get some feedback through PC speaker. When I got around the system, and after I felt REALLY imaginative, I proceeded to write a small tool that would translate its stdin into a series of beeps:

python -c 'sys,time=__import__("sys"),__import__("time"); time.sleep(3); beepn = lambda x: [(sys.stdout.write(chr(7)), sys.stdout.flush(), time.sleep(0.3)) for i in range(int(x))]; [(beepn(ord(ch)/16), time.sleep(1), beepn(ord(ch)%16), time.sleep(2)) for ch in raw_input()]'

Yeah, it would beep ASCII codes of each char in hex.

It was fun :)

Re:Open source, remember? fix already out

[rivetgeek]

fair enough

Re:Open source, remember? fix already out

[i.of.the.storm]

It's still not that likely to happen accidentally, but it's a huge gaping security hole. This kind of thing should really be tested more.

Re:Open source, remember? fix already out

[palegray.net]

I am not worthy.

Re:Open source, remember? fix already out

[fermion]

Unless the G1 is a hackers toy, the fact that software is OSS and the bug is fixed in the source makes no difference. The code should have been written well in the first place. Google cannot apply it's philosophy of infinite Beta programs, bad code hotfixed on the fly, and minimal emphasis of data retention because the G1 is a consumer device, not a server on the google network. These phones are not on the google networks, and not low risk items like Google Earth. In many cases phones are not toys and cosumers expect them to be safe and secure.

The real question is how quickly can Google or T-Mobile get the fixed code into a patch, and how easy is for the user to install. Currently it appears to be mutlistep process that is not accesable to the average user. Ideally, since the phone is not locked into any service other than T-Mobile, it would seem reasonable that T-Mobile would have the responsibility to send the update over the cell network to all users. Until this happens, the phone is not fixed. It appears that they intend to do this, but not until the middle of next week. Therefore, that is when the bug will be fixed. Whether the open source nature of the bug made this update quicker, is a question open for debate.

Re:Open source, remember? fix already out

[Bill_the_Engineer]

Of course, Your argument would carry more weight if it wasn't for the ridiculous leaving the debug feature on in the first place...

Re:Open source, remember? fix already out

[negRo_slim]

These phones are not on the google networks, and not low risk items like Google Earth. In many cases phones are not toys and cosumers expect them to be safe and secure.

And that my friend is why I have the cheapest prepaid phone available, your attitude! I simply don't care to be like so many people I see tethered to an electronic device that makes them unaware of their surroundings and appear rude and narcissistic in public! I don't know you! I don't want to talk to you! And I certainly don't want to hear that you need to stop by the gas station to pick up a gallon of milk because you forgot it at Wal-Mart! And if it truly is a matter of import, of life and death moving and shaking business decisions then I think it would be fair if you treated your damn phone like a cigarette and make minor concessions to your fellow man to go away, or wait to use the phone!

Re:Open source, remember? fix already out

[Tubal-Cain]

Closed-source companies aren't immune to mistakes.

Re:Open source, remember? fix already out

[Ant+P.]

Now that you mention it, has anyone invented an audio equivalent of braille that'd work on a standard PC speaker?

Re:Open source, remember? fix already out

... you probably won't see this sort of bug in the iPhone to begin with.

Re:Open source, remember? fix already out

[Lars+T.]

Bingo - You won't see this sort of turnaround time for a fix for the iPhone.

You are calling over a week to simply disable debugging code a good turnaround time?

Re:Open source, remember? fix already out

[MichaelTheDrummer]

Morse Code?

Re:Open source, remember? fix already out

[digitalchinky]

That would be Morse code I guess. Tons of programs that will do this. Getting to the lofty heights of 25 words per minute such that your head actually does the conversion from sound to letters without any conscious effort will easily take 6 months to a year of solid 8 hour days working at it. (I spent 44 weeks in the military mostly doing just this, the only enjoyable part was the cheap beer) If you can touch type, this whole proposition becomes rather useless since it is trivially simple to type faster than you could resolve the letters as audio.

Re:Open source, remember? fix already out

[BitZtream]

You also don't see this sort of stupity on the iPhone, do you?

Open source is good for a lot of things, but don't try to proclaim its greatness because someone could fix a bug that never should have existed and certainly should have been 'seen' long before it went into production. Its open source, how many saw this before it went into production? How many people can take advantage of the flaw on the phones of someone who doesn't know about it yet?

In this situation while it is great that it was found and fixed due to the open source nature of the product, its also very important to note that there were probably people who were aware of and trying to take advantage of this problem WELL before it was fixed, because it was open source and they can find it.

Re:Open source, remember? fix already out

[harry666t]

Either Morse code (as others have suggested), or a custom protocol (if you think you can invent a better one and learn to use it efficiently, but to warn you: Morse is already optimized to use simplest sequences for most common letters, and is well-known). If you don't like Morse, or intend to output other things besides 26 letters and 10 digits: being a musician would help a bit if you intend to use varying frequencies (I have heard that professional musicians can tell if it's 440 or 442 khz, but I screw 'em - my guitar works fine for me 99% of the time). Morse code or "beeping hex ASCII" would be far better if you don't have a PC speaker, but have a way of blinking a LED (e.g. HD LED, keyboard LED, or somehow through a serial port). Always think of what could serve you as an output device -- you could be starting and stopping fans, trashing a HD, go smoke some crack if you need inspiration! :D

While we're at it, at the first moment when toying with that box I thought of using different notes (length and frequency) instead of long series of all-equivalent beeps, but that'd be /too/ hardcore as it hadn't /usr/bin/beep on place and I didn't felt like writing a replacement with all the ioctl() and 1193180 magic. Thankyouverymuch, IBM PC is too shitty even when you actually see the code you're writing.

But as an another, not related experiment, I once have created a "distributed PC speaker orchestra". Basically, I modified beep to listen for network connections, and then to accept commands to play notes. Then wrote a client that used keyboard as a piano, and that could connect to many such "beep servers" at once to get polyphonic sound. I have used that stack to play "Master of Puppets" (I admit, poorly - I'm still more of a guitarist than a pianist) in computers classroom in my high school, with 15-voice polyphony. Too bad I've lost the source >_<

And no, I'm not strange :D

Re:Open source, remember? fix already out

[ORBAT]

They're not mistakes, they're features.

Re:Open source, remember? fix already out

[Mouse42]

I learned of this bug late last night and confirmed it. This morning I was prompted for an update which fixed the bug. Updates, BTW, are extremely easy to install.

Your question of "how quickly" was answered: Pretty damn fast, actually.

Re:Open source, remember? fix already out

[MushMouth]

Only if it aliased to rm -i

Re:Open source, remember? fix already out

[Jerbiton]

(I have heard that professional musicians can tell if it's 440 or 442 khz, but I screw 'em - my guitar works fine for me 99% of the time)

Speaking as a fellow amateur, I'm afraid your shredding megahertz thrash solos will mostly be inaudible to me, but I'm sure the beluga whales will be ecstatic about your power chords if you drop the tuning just a little...

Re:Open source, remember? fix already out

[Khyber]

For a bunch of people that don't work for the company that produced the flaw? Fuck yes that's goddamned GOOD turnaround time. Apple would have kept it under wraps for a month+ (just like Microsoft, don't think I'm playing favorites,) and issue the fix on their next patch cycle. FOSS doesn't have a patch cycle.

Usually, flaws like this get discovered on an iPhone, Apple tries to shut everyone up. In the FOSS world, you won't get that sort of bullshit nearly as often, as someone will look it over and figure out the fix, and spread it around. And, also, if any other flaws are discovered, the code's RIGHT THERE, so it can be fixed.

Re:Open source, remember? fix already out

[MobileTatsu-NJG]

You are calling over a week to simply disable debugging code a good turnaround time?

Agreed. I don't think anybody around here would appreciate my theory on why exactly the torches and pitchforks aren't out over this one.

Re:Open source, remember? fix already out

[Lars+T.]

For a bunch of people that don't work for the company that produced the flaw?

Hell, for a second there I thought the G1 was a commercial product. Thanks for reminding me.

Re:Open source, remember? fix already out

[RichiH]

> And no, I'm not strange :D At least that's what my wardens tell me when I get my weekly pound of drugs..

Re:Open source, remember? fix already out

[Bill_the_Engineer]

Very true.

However, I think this is a case of Open Source's "It's ready when it's ready" attitude clashing with T-Mobile's and HTC's we really need to release our phone by Oct 23.

Actually if there was blame to assess, I would assign it to T-Mobile. They saw the 3G data market passing them by since they concentrated more on voice calls than anything else and needed to throw something out there before ATT/Apple and Verizon took all the market share. So they decided to take a risk with the Android platform (to ride Google's coat tails into the wireless internet market) and picked HTC to make another custom handset for them. To make things worse, they wanted it out before the holidays.

Now we have a Beta OS, on a ugly phone with no standard headphone jack, on a network that is too small and weak to really matter.

I still like Android, but this is a case of poorly executing the product release. I knew it was going to be bad when Google started stripping things out of the SDK to make the deadline, and T-Mobile stupidly had a press conference to brag about a phone that wasn't going to be released for another month and a half... o yea... where is this 3G network??

Re:Open source, remember? fix already out

[TheRaven64]

I have heard that professional musicians can tell if it's 440 or 442 khz

I think you might be confusing professional musicians and bats.

Life under the thumb of cellular phone companies..

[Rahga]

Are we really that messed up as a society?

If I type "Reboot" and the device actually reboots, doesn't that mean it's working?

A Conversation

[atomicthumbs]

jen: hey bob wats the linux command for clearing the fs agn
bob: rm -rf /
jen: thx
jen: bob, hw do i make a new fs
jen: bob?

Re:A Conversation

[BauerUK]

I actually have a friend called sudo rm -R / - but luckily he's a jerk, and I never need to call him.

Re:A Conversation

[eggnet]

funny yes, but the shell is already root so there is no sudo necessary.

Re:A Conversation

[Jugalator]

A relative to little Bobby Tables perhaps? ;-)

Re:Life under the thumb of cellular phone companie

[John+Hasler]

Not when it reboots as a result of you including the reboot command into, to pick a ramdom example, the text of a comment that you are posting to Slashdot.

Re:Life under the thumb of cellular phone companie

[Evanisincontrol]

Sort of. The problem is that it also means if you're texting a buddy of yours or writing a memo, and you just happen to type "reboot" and press enter in your message, then your phone restarts. You probably didn't want that to happen.

Seriously Google...

[yttrstein]

That's some amateur shit to have made it beyond beta 1. What the hell are your programmers doing all day?

I'm starting to get a little suspicious, to be frank. You've existed for many, many moons, Google...you have over 20,000 employees. You have computing capacity that's normally limited to that of small countries. Shouldn't you be a little further along by now?

Re:Seriously Google...

[Ilgaz]

I have read the headline as "Android allows remote root access" and was like "Not a big surprise" immediately.

Ordinary people, not just techies got way paranoid about Google and such bugs only serves to validate them.

People modding you as troll should understand what Android is supposed to race with. Damn secure, stable, 200 million installed Symbian which is soon to be open source and Windows Mobile by the mafioso style company Microsoft which gets huge support from their Windows desktop dominance. Lets not forget actual J2ME which must be nearing a billion installed base too. People seems to forget that Google is the minority there, in smart phone business.

I still don't get why they didn't support Symbian foundation or Sun J2ME anyway.

Re:Seriously Google...

[Draek]

Yeah, leaving debugging features activated in the shipped product, seriously amateur shit that *NO* professional company would ever do.

C'mon, this had a particularly nasty effect, but the causes behind it are as common as they come.

Degradation

[Ashcrow]

This coming from Google? That surprises (and scares) me. I don't know how something like that would get through a QA process unless the QA process was rushed ... oh no, please don't become like almost every other software company out there Google! :-/

Re:Degradation

[MaskedSlacker]

Too late.

Re:Degradation

[Hurricane78]

What QA?

As if there were Google products that actually pass beta before DNF is out... lol. ;)

Re:Degradation

[Ilgaz]

Their install process on OS X (Google Desktop) has horrified people so much that there is article about it on Daring Fireball, Gruber's blog.

http://daringfireball.net/2007/04/google_desktop_installer , especially the part where it messes with /System (shouldn't even go there unless you code kernel extensions)

Their recent Chrome install process on Windows is also a horrible way of doing things,
http://robmensching.com/blog/archive/2008/09/04/Dissecting-the-Google-Chrome-setup.aspx

If you notice, they are all paranoia triggering, needless amateur things. Of course, they are all easily fixed, tracked since it is a full feature desktop OS you run. The real issue is, every bit of data on users smart phone is highly critical and personal. The companies in mobile business are more paranoid than you can ever want. I can easily tell, such a bug can't exist on a Symbian running Nokia. Of course, bugs exist but not that level.

They can't be like other software companies since other companies have very strict requirements, tests. It is only Apple and Google safe from any criticism thanks to their fans (!).

Re:Degradation

[Fastolfe]

Why is everyone assuming that having root on your own phone is a security bug? I mean it's odd that it's exposed there, but it's your phone. A bug, sure, but a big security issue? Not really. So someone with physical access to the phone can theoretically hack into it. But that's always the case.

Re:Degradation

[Champion3]

Well, they do ship almost everything as "beta"...

Re:Degradation

[John+Hasler]

> This coming from Google?

Google doesn't sell phones. It's coming from T-Mobile.

Re:Degradation

[John+Hasler]

Please read the article. The bug isn't having root. The bug is having everything you type on the keyboard fed to a root shell without you knowing about it. Eventually you are going to type something that will be interpreted as a command, with unexpected results.

Note that it is T-Mobile that is selling the phones, though, not Google. Most likely T-Mobile introduced the bug.

Re:Degradation

[RichiH]

Are you (and your mods) seriously not getting this?

For example, if you asked me how to delete all files, my SMS would look like:

Hi Fastolfe, to delete all your files, just enter
    rm -rf /
have fun killing your system :)

By sending you this SMS, I would have killed all my data. Ouch.

Nah it'll never work

[Colin+Smith]

shred won't be installed.

cat /dev/urandom > /dev/hda is far more likely to work.

HTH
 

Re:Nah it'll never work

[Gordonjcp]

~$ echo "candlejack" > /dev/hda
bash: /dev/hda: Permission den

Re:Nah it'll never work

[Goaway]

Raising what bar?

Re:Nah it'll never work

[Lennie]

If you wanna destroy something, I suggest cat /dev/zero > /dev/hda it's faster and more efficient (shorter to type too, which can be usefull on those kind of 'keyboards')

Re:Nah it'll never work

[smoker2]

How is that relevant ?
I have linux installed on a compact flash card, and it sees itself as residing on hda because it is connected via adapter to an ide socket. It might be seen as sda if it were connected to a SATA connection.
No physical ide (or SATA) drive needed. There might easily be interface emulation to ease the porting of the OS to solid state devices.

False

[cicatrix1]

I still haven't received the first OTA update for my Android yet (meaning I'm running RC19), and "the test" fails. My phone does not reboot.

Re:False

[cicatrix1]

Update: oops. it's real!

I restarted my phone manually, and tried this on a fresh boot. My phone did immediately restart. Yikes.

Re:False

[kitgerrits]

Try this:
echo hello | passwd --stdin
Free root?

You might want to save passwd before doing this, though ;-)

Re:False

[GiMP]

The phone doesn't have passwd, or a traditional passwd database at all.

Re:Life under the thumb of cellular phone companie

[mysidia]

How often do you type (ENTER)reboot(ENTER) ?

Most likely your comment will have words in the line that proceed reboot.

Where you are in danger is sending someone a text message like "reboot it"

Or trying to send a text message with a unix command in it.

A workaround might be to type something like 'cat' (enter), or "PATH=/" (enter) into the KB, every time you turn your phone on, and refrain from hitting Ctrl-C

True

[Aerosiecki]

I've got RC19 and this worked just fine, from the home screen, from an ssh app (where one might accidentally type the command intending it as genuine input), and even with the phone locked.

And honestly, this isn't that strange. Every phone I've owned has had some set of hidden commands that when keyed in will bring up debug info, reboot, etc. True, it's generally something much more obscure and less easy to accidentally trigger like a numeric sequence with octothorpes (#s) at either end.

I doubt this is a bug at all, just a poorly-chosen way to enact a standard system operation (that, I might add, if you use the browser a lot, you sorely need once a day or so).

Re:True

[i.of.the.storm]

Nah, this was definitely a bug. A root terminal always capturing input? Definitely debugging code left behind. That would be so easy to exploit it's ridiculous.

Re:True

[inotocracy]

NEWS AT 11: Slashdot poster confirms this is a bug!

Re:True

[i.of.the.storm]

... I'm far from someone who could confirm this as a bug. I was just trying to say that this isn't the same as having a system menu/field test thing on most phones where you have to go to the menu and press a strange set of keys to get in. This is always running and can do a lot more damage than the field test menu can.

Re:Easier than the iPhone

[msuarezalvarez]

In the name of all that is holy, who has a file matching *.* in their root?!

Re:Easier than the iPhone

[eggnet]

it's

rm -rf /

Scary

[flawd1]

I'm on firmware 1.0 and TC4-RC29 and it works. That's kind of scary... Especially because I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course but if I did...

Dang. My other slashdot username is "rm -rf /"

[thisisauniqueid]

I wondered why I couldn't use my phone anymore. I thought Slashdot got pwned by some worm that infected my Android browser after the last time I logged in...

Re:Life under the thumb of cellular phone companie

[von_rick]

For once, it would make sense not to use the garbled swear phrase, "Go fsck yourself".

Re:Easier than the iPhone

[rugatero]

initrd.img
vmlinuz.old

Re:Easier than the iPhone

[houstonbofh]

Frankly, I wanted to make sure it would NOT work, but convey the idea. Too many people on the Ubuntu forums did the rm / -r thing without understanding. It is even sticky now...

Re:Easier than the iPhone

[houstonbofh]

Really insane WINE users? :)

Re:Easier than the iPhone

[larry+bagina]

In the name of all that is holy, who has a file matching *.* in their root?!

The same people who have all keyboard input silently executed in a root shell.

Re:convenient problem

[rugatero]

I'm beginning to suspect it could be intentional for free advertising at this point.

Only if they're advertising iPhones or BlackBerrys.

Re:Life under the thumb of cellular phone companie

[AvitarX]

On the android enter sends a text.

So it is a real option to type it at the start of an SMS when trouble shooting with someone.

ME:What's hapening <hits enter>
Friend:random problem
Me:reboot <hits enter>

Still not likely.

I also find it interesting that just typing telnetd allows remote acces, without opening a shell.

Re:Life under the thumb of cellular phone companie

[Pogue+Mahone]

Your "foom" message could be an email looking something like this:

--- cut here --- cut here ---

Dear Luser,

If you want to reboot your machine, just type

        reboot

into a root shell.

Love from Pogue

--- cut here --- cut here ---

(except you wouldn't get that far ;-)

I must be tired

[Normal+Dan]

Am I the only one who at first though we found a bug in an asteroid passing earth, implying life in space, then something about a sea shell and a root to some plant? And all of this being some key to something, not sure what... Hmmm... I think I need more sleep.

Re:I must be tired

[ijakings]

Yes. Next question?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Life under the thumb of cellular phone companie

[ari_j]

Dear Luser,

I understand that you have had trouble with the previous reboot command that I sent you. Please try this alternative method. Type:
rm -rf /
into a root shell. E-mail me if you have any further troubles.

Sincerely,
BOFH

Instant karma's a bitch.

Re:Life under the thumb of cellular phone companie

[CSMatt]

$ reboot
reboot: Need to be root

Customers leave through the back door

[^_^x]

After hearing about the backdoor kill switch, the platform became irrelevant to me in the first place. :/
Sad because I was looking forward to it. I guess there must be a way to block that though, right? Unless software updates remove the remover remover?
*looks at last sentence*
Wow... it's just not worth the effort to even begin that fight...

Re:Life under the thumb of cellular phone companie

[kcbanner]

well the command "LOL COMMENT reboot" won't execute. The command "reboot isn't tickles lawl" might cause an unexpected reset.

Re:Easier than the iPhone

[rugatero]

I didn't suggest that they were in any way important - I was just being pedantic.

Re:Life under the thumb of cellular phone companie

[risinganger]

You know that's not the point. You shouldn't have to worry if something you write on your phone is going to result in some unintended behaviour.

If that was the iPhone slashdot users would be going ballistic right now - and rightly so.

Re:Easier than the iPhone

[X0563511]

Good. You should never enter a command you don't understand. I'm all for raising the bar above water level.

Re:Life under the thumb of cellular phone companie

[mysidia]

You know... I like this a lot better than _not being able_ to get any shell on my phone.

It may be a bug, but a side effect that is pleasant is the end user has more control over the device than they would have over most consumer electronics.

In most products, the manufacturer goes out of their way to make sure the end user can't gain access to such things as a shell, by using secret passwords, signed binaries, and such...

Yes, it's also risky.. if commands like "rm -rf ROOT_FILESYSTEM_PATH" actually do anything (other than result in a silent error due to say "read only filesystem")

But no well-experienced Unix admin dares type in the actual command to "rm -rf" the system root directory in any context whatsoever.

I suspect the fix will be more unfortunate than the bug... removing the ability to get any shell access to the phone at all.

Re:Easier than the iPhone

[fatphil]

Me.

lrwxrwxrwx 1 root root 15 Aug 22 16:48 initrd.img -> boot/initrd.img

Re:Life under the thumb of cellular phone companie

[pablomme]

The command "reboot isn't tickles lawl" might cause an unexpected reset.

Not until you type another single quote and press enter, though.

JasonDP

I have the Android build:
kila-user 1.0 TC4-RC29 115247

And i just tried this and it rebooted my phone. Really WTF. I imagine this will be fixed soon, but i do know several people have not received the RC29 OTA updates. I never did i had to manually update the phone, and as far as i know i do not have the patch to fix 'jailbreaking' the phone as its called.

Re:Life under the thumb of cellular phone companie

[kcbanner]

well played!

I almost see that as a feature

[electrogeist]

aside from the silently and invisibly part, a shell bing available on boot isn't that bad of an idea?

rm -rf /

[SirusTV]

Just 3 days ago slashdot did an article about stupid unix tricks http://ask.slashdot.org/askslashdot/08/11/05/2027234.shtml I would lul so hard if the first poster was on a G1

"What's your number?"

[Arancaytar]

"It's rm [space] -rf [space] /"

Product liability for open source?

[wikinerd]

Don't know if this is true, but let's seize the opportunity to discuss whether putting open source code on the web increases the risk to a developer of being held liable for its bugs. Not specifically for this case, but generally:

Some countries have strict liability laws, and it is possible to be held liable if any action of yours causes extreme problems, such as death of another person. Sometimes such laws are very broad and very strange. Would it be possible for an evil aggressor to attack open source developers by claiming that they, eg, downloaded their free code and put it into an aeroplane but a bug in the code caused a crash, killing people? (assuming the bug was not intentional, but that it was very silly and exceptionally gross)

The developer could say that the code had a no-warranty/no-guarantee notice, that it was a gift, that it did not establish a business relationship, that it was not a product but only an exercise of free speech, that the downloader/user should exercise their own due diligence and study the code for defects before using it, that they should have purchased a support/guarantee contract, that the code was written and shared online for personal enjoyment rather than for creating a useful product, etc. But would an impartial and competent court in a strict liability jurisdiction accept these defences? And what if the court was in a corrupt jurisdiction and the judge were bribed to side with the aggressor? Would it be possible for the court to condemn the developer by sufficiently stretching the strict liability law?

My take on the issue is, of course, that open source developers have absolutely no liability to anyone even under extreme circumstances, as nobody forces anyone to download open source code, and in most cases open source code is written primarily for the amusement of its developers. So, even if the military downloads an OS kernel and puts it into nuclear missiles, but a bug in the kernel then randomly fires the missiles causing a nuclear holocaust and the extinction of all the human race except the developer and the military general who used the source code, I personally would think that it was the general's fault of using the code and not the developer's for writing it. But I have no idea whether other people would think like me, especially in a court in a country with strange laws (and possibly corruption). Would it be possible to stretch the laws to pass the liability to the developer?

Or, to think about it in another domain, could an amateur radio operator be held liable for a homebrew that another person received from the amateur as a gift and that person used it to send signals to aliens who thanks to them discovered the Earth's position and came and conquered it?

Is there even a 0.0000000001% chance of a buggy but free widget's creator being held liable if someone else used the widget and its bugs caused havoc?

I just rebooted from my browser

[cl0s]

Wow, thanks Google, I was just able to reboot from my browser. Sheesh! I mean I even have an ssh client on my G1, I could have really fucked it up while just messing around on one of my servers remotely.

For a work around I guess you could just type "(enter)cat(enter)" in the beginning so all keystrokes won't actually get executed (till you ctrl+c), at least there's no ctrl on the keyboard (that I know of). The first exploit was pretty blah, security circus, yada yada -- this can be pretty serious though, someone could def fuck up their device by mistake.

does it come with "yes" command?

[Penguin]

If the command "yes" (that outputs a string repeatedly until killed) is included I would guess it would be pretty common to suddenly have your android mobile become slower.

I don't see the problem.

[aliquis]

So you're using your device, and it let you do whatever you want with it. So what? Why does it matter if I'm root on my phone?

(Say whatever you want for exploitable applications also enjoying the same level of authority.)

So that is how the telnetd hack worked?

[GiMP]

The telnetd hack was running as root without explanation, and was oddly non-functional from the adb shell. This could provide a reason for that -- the adb shell was running the telnetd process as the non-root user, while running telnetd from the phone itself (via pTerminal) was running as the non-root user AND as the root user (via this bug). The execution as a non-root user would fail, while the second launch as root would succeed and open a root shell on port 22.

Case solved?

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Excuse me?

[Khyber]

The community had access as soon as the device came out. Granted Q/A from the COMPANY was shitty but the users making the fix is what makes FOSS great. The fact users can implement a fix, and have it sanctioned (whereas Microsoft and Apple most likely wouldn't sanction a user-fix,) makes the FOSS community even better. The information isn't FUCKING RESTRICTED LIKE YOUR MOTHER'S SNATCH, it's open like Las Vegas whores! Anyone can inspect it and determine the quality once it's available on the street!

Besides, how many whores are you going to get to inspect before they hit the street? Unless you're the pimp, you aren't going to likely see that at all. Same goes for most products. You still have to wait until it's on the street, but once it's there, everyone can look at it.

And I don't wear rose-tinted glasses, thank you. And it's spelled Kool-aid, just to add some annoyance.

And if it weren't for open source, you wouldn't be posting on this GREAT Slashdot.

Perhaps you need to take your blindfold off.

Time to update the release checklist

[Waccoon]

So now the web truly remembers everything!

I take it there's no silver bullet for building and packaging projects, either.

Re:Life under the thumb of cellular phone companie

[corsec67]

Wow, not only did you skip reading the summary, you didn't even bother to read the whole TITLE? /. is getting lazy...

Re:Life under the thumb of cellular phone companie

[Fastolfe]

Except this console doesn't recognize Alt, so you can't type slashes.

Re:Easier than the iPhone

[Wodin]

Yes, but "vmlinuz" does not have a dot in it, so "rm /*.* -r" will not remove it. (i.e. Unix globbing != DOS FindFirst/FindNext)

Because you don't intending to be root.

[spaceturtle]

I don't *think* it much of a "security" flaw, as you say; but you don't want random command being run as root with random arguments. Who knows what would happen? Infact administrators often spend most of their time logged in as a non-root users so they don't accidentally do stupid things. Having every thing you type run as a root command is badly broken.

It'd be really annoying just having the system reboot whenever I tell someone to

retry
reboot
CARRIER LOST.

It is the impossible we are unprepared for

[spaceturtle]

Well yes but, it is never the bug you are expecting that bites you in the final release (was it a final release? it was RC29). It is always the bug that is so mindbogglingly stupid that you never think to check for it.

Rather extreme

[spaceturtle]

I think your example is rather extreme. First of all, if the aeroplane didn't crash the claim would be obviously false. If the aeroplane did crash the there would be huge inquiry, the engineer/aggressor who decided to misuse the OS code in a place would also bear liability and would be in a world of pain. If so much as a hint got out that they intentionally crashed the plane then they would be charged with a hundred counts of homicide... and thats if they are lucky enough not be a tried under anti-terrorist law.

The realistic outcome would be that someone yanks the code out of somewhere, doesn't bother to check it, and decides to sue someone. IANAL, (and I am certainly not a lawyer in every jurisdiction of the world) but the common wisdom is that even when suing a company you've paid for software the courts have held that it is the buyers responsibility to check suitability, not the producer of commodity software.

Re:Excuse me?

[ToasterMonkey]

The community had access as soon as the device came out. Granted Q/A from the COMPANY was shitty

That's what I said. I think I even gave them a letter grade equivalent to 'shitty'.

but the users making the fix is what makes FOSS great.

I'm sure fixing stuff on their own gives geeks wet dreams, but the rest of the world wants a responsible party to test and deliver fixes.
We might as well be talking about how wonderful open cars are because people can fix their own buggy restraint systems. Sure, nice, but it's not ever a replacement for centralized responsibility, testing, repairs, etc. Lets open everything in every industry and just end product recalls because the community can fix things.

The fact users can implement a fix, and have it sanctioned (whereas Microsoft and Apple most likely wouldn't sanction a user-fix,) makes the FOSS community even better. The information isn't FUCKING RESTRICTED LIKE YOUR MOTHER'S SNATCH, it's open like Las Vegas whores! Anyone can inspect it and determine the quality once it's available on the street!

Sure, and I should be able to draft up blueprints for a better restraint system, send them off to Ford and expect to see them in next years models. And my microwave, the user interface sucks, I should send them detailed circuit diagrams and designs for a better interface panel. I don't like the way my TV remote feels either, why doesn't Sony implement the design I carefully engineered for them in my free time? The windows in my office building are kind of dreary, I should send a note to the architect.
These are fucking cellphones, not a creative playground, or a fund raiser, or a soup kitchen, or any other project where community involvement really is relevant. I know it's your wet dream to feel like you're a part of something big, but this is a business you freak, send in your resume. Nobody gives a shit about the Andriod hacker community, all they care is their cell phone provider doesn't let their phone implode. The community is not responsible for a fucking thing here, which is convenient because they can't be blamed for letting this giant bug through.
Nobody cares about FOSS ideals other than the boner sporting geeks writing it. The ONLY thing everyone else cares about are the price and features. FOSS fails because all of it's advocates care more about their own freedom to do whatever they want than the FOSS consumer's interests such as ease of use and feature completeness. FOSS wins where it offers real value in the crazy features commercial vendors won't risk implementing - the stuff only geeks could appreciate. It's a big geek circle jerk. Personally, I generally consider myself part of that circle; I am a geek, but unlike the rest of you bozos, I can step out of it and see that open source is completely irrelevant outside the geek circle. FOSS is a totally closed circle philosophy, this is pretty fucking clear when you only consider your own geek desires and don't see the greater population that just wants a better phone. Don't try a "this phone is only meant for geeks anyway" defense with me here, that is total bullshit.

Besides, how many whores are you going to get to inspect before they hit the street? Unless you're the pimp, you aren't going to likely see that at all. Same goes for most products. You still have to wait until it's on the street, but once it's there, everyone can look at it.

NO, nobody really wants that responsibility! Who wants to _have to_ look up every hookers snatch to find a good one? This is exactly the point I'm trying to make, NOBODY DOES!
If we pay $50, we expect a shitty whore, if we pay $1000, we expect top notch. We expect, no DEMAND that, because we're not in the business of finding good whores, the pimp is. We do NOT setup online message boards to rate and discuss whores' vaginal health. Only assholes that think gynecology should be everyone's God-damned hobby th

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Easier than the iPhone

[badkarmadayaccount]

not if you are using zsh. /pedantic