Bug In Android Passes Keystrokes To Root Shell

pasokon writes "ZDNet reports on an Android bug in T-Mobile G1s with early versions of the firmware: 'When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. ... open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: (enter)-r-e-b-o-o-t-(enter). Poof, your phone will reboot.'"

This is simply mind-boggling.

[jcr]

I can't imagine how or why anyone could accidentally pipe all user input through a root shell. This is one for the WTF of the decade.

-jcr

Re:This is simply mind-boggling.

[Otto]

Read this:
http://android.jim.sh/index.php/ConsoleShell

Looks like debugging code left behind...

Re:This is simply mind-boggling.

[ultramk]

This is obviously bad for Apple. I mean if the iPhone weren't all like, locked down, and, um....

Yeah, anyway, the iPhone is done for, no question. I mean you can't even GET to root shell on an iPhone, and here it is a standard feature on Android! Mind-boggling indeed!

Re:This is simply mind-boggling.

[SharpFang]

I can perfectly well imagine someone purposely piping all the user input to root shell for easy debug and development, then forgetting to disable it in the release version.

Re:This is simply mind-boggling.

A better way would be to require holding down e.g. "c" during boot to enable it. Automatically sending ALL keystrokes to the console is a bad idea, even for debugging.

Re:This is simply mind-boggling.

[tyler_larson]

Verified this still works on the latest OTA update, RC29.

Re:This is simply mind-boggling.

[tyler_larson]

If you want to keep from fubar-ing your G1 by typing in the wrong stuff accidentally, just type "cat [enter]" first thing when you power on the device, and it will be defused from then on. All input will be harmlessly filed away to stdout.

Re:This is simply mind-boggling.

[JackassJedi]

Yeah the iPhone is really dead now. Apple totally blew it, I agree. It's totally done for. This is a total misfeature: a hidden root shell!
BTW what's this 'Android' you're talking about?

Re:This is simply mind-boggling.

[RzUpAnmsCwrds]

The latest OTA update is RC30, which patches the issue (I confirmed this on my G1).

Re:This is simply mind-boggling.

[tyler_larson]

You mean defused until you type Control-z, Control-d or Control-c, right?

Nope. I really do mean from then on. Read the various write-ups to understand why.

And for bonus points, see if you can find your phone's "control" key.

Re:This is simply mind-boggling.

[darkpixel2k]

If you want to keep from fubar-ing your G1 by typing in the wrong stuff accidentally, just type "cat [enter]" first thing when you power on the device, and it will be defused from then on. All input will be harmlessly filed away to stdout.

Wait--you're missing the big picture.
Jailbreak the phone!

Woo! We now have root access! We can hax0r the phone and load our own custom applic...what? Oh. Shit. Wrong phone. I'll wait for the next iPhone article.

Scary

Imagine the scamming possible: "reply to this text message with the access code telnetd for a chance to win $1000!"

Confluence

[RomSteady]

Suddenly, the memory-and-keystroke-saving command names of the past combine with the keystroke-saving text-speak of the present to create the nightmarish user interaction bugs of the future.

Re:Confluence

[Anpheus]

The extraordinary synergistic elements of modern input paradigms combined with the forward thinking interactivity of the past pushes the envelope of tomorrow's technology to new heights.

reboot

doesn't wo

Re:Uh oh

[Daimanta]

I am typing this from my Android. I have tried this and I don't have any pr
NO CARRIER

Open source, remember? fix already out

[dnwq]

From TFA:

If you see anything later than RC29 then you already have the fix.

Because Android is open source, the problem was quickly tracked down by users to a couple lines in the system file init.rc. My guess is that this was accidentally left in during device debugging.

Re:Open source, remember? fix already out

[Halborr]

Ah, the beauty of FOSS.

Re:Open source, remember? fix already out

[Khyber]

Bingo - You won't see this sort of turnaround time for a fix for the iPhone.

and this is why FOSS is a champion to me - the community fixes the issue and everyone else can check the fix to make sure it's not malicious.

And this is why all gov't entities in the USA should use FOSS. The people/community as a whole can do a better job of keeping the government secure than corporations can.

Re:Open source, remember? fix already out

[topham]

I am a programmer and I am entirely and absolutely dumb-struck by this revelation.

That is absolutely the most asinine debug method I have ever head and I am seriously wondering if it was an intentional backdoor.
Never, Ever send random commands to a shell. Hell, we are talking a unix base, there are hundreds, of not thousands of 2 and 3 letter functions which do 'something' and a significant number of them are not harmless. I realize the phone is not likely to have all of them, but it will have a number of them. 'rm' being a good example.

Re:Open source, remember? fix already out

[i.of.the.storm]

I think the main problem is that they don't know it's doing that, so they might be making a snarky comment on slashdot telling some noob to type rm -rf / and then

Re:Open source, remember? fix already out

[harry666t]

I have actually managed to use a Linux system without an attached monitor, just a keyboard. I've been writing commands blindly and using "foo && python -c 'print chr(7)'" and alike to get some feedback through PC speaker. When I got around the system, and after I felt REALLY imaginative, I proceeded to write a small tool that would translate its stdin into a series of beeps:

python -c 'sys,time=__import__("sys"),__import__("time"); time.sleep(3); beepn = lambda x: [(sys.stdout.write(chr(7)), sys.stdout.flush(), time.sleep(0.3)) for i in range(int(x))]; [(beepn(ord(ch)/16), time.sleep(1), beepn(ord(ch)%16), time.sleep(2)) for ch in raw_input()]'

Yeah, it would beep ASCII codes of each char in hex.

It was fun :)

Re:Open source, remember? fix already out

[fermion]

Unless the G1 is a hackers toy, the fact that software is OSS and the bug is fixed in the source makes no difference. The code should have been written well in the first place. Google cannot apply it's philosophy of infinite Beta programs, bad code hotfixed on the fly, and minimal emphasis of data retention because the G1 is a consumer device, not a server on the google network. These phones are not on the google networks, and not low risk items like Google Earth. In many cases phones are not toys and cosumers expect them to be safe and secure.

The real question is how quickly can Google or T-Mobile get the fixed code into a patch, and how easy is for the user to install. Currently it appears to be mutlistep process that is not accesable to the average user. Ideally, since the phone is not locked into any service other than T-Mobile, it would seem reasonable that T-Mobile would have the responsibility to send the update over the cell network to all users. Until this happens, the phone is not fixed. It appears that they intend to do this, but not until the middle of next week. Therefore, that is when the bug will be fixed. Whether the open source nature of the bug made this update quicker, is a question open for debate.

Re:Open source, remember? fix already out

[harry666t]

Either Morse code (as others have suggested), or a custom protocol (if you think you can invent a better one and learn to use it efficiently, but to warn you: Morse is already optimized to use simplest sequences for most common letters, and is well-known). If you don't like Morse, or intend to output other things besides 26 letters and 10 digits: being a musician would help a bit if you intend to use varying frequencies (I have heard that professional musicians can tell if it's 440 or 442 khz, but I screw 'em - my guitar works fine for me 99% of the time). Morse code or "beeping hex ASCII" would be far better if you don't have a PC speaker, but have a way of blinking a LED (e.g. HD LED, keyboard LED, or somehow through a serial port). Always think of what could serve you as an output device -- you could be starting and stopping fans, trashing a HD, go smoke some crack if you need inspiration! :D

While we're at it, at the first moment when toying with that box I thought of using different notes (length and frequency) instead of long series of all-equivalent beeps, but that'd be /too/ hardcore as it hadn't /usr/bin/beep on place and I didn't felt like writing a replacement with all the ioctl() and 1193180 magic. Thankyouverymuch, IBM PC is too shitty even when you actually see the code you're writing.

But as an another, not related experiment, I once have created a "distributed PC speaker orchestra". Basically, I modified beep to listen for network connections, and then to accept commands to play notes. Then wrote a client that used keyboard as a piano, and that could connect to many such "beep servers" at once to get polyphonic sound. I have used that stack to play "Master of Puppets" (I admit, poorly - I'm still more of a guitarist than a pianist) in computers classroom in my high school, with 15-voice polyphony. Too bad I've lost the source >_<

And no, I'm not strange :D

Life under the thumb of cellular phone companies..

[Rahga]

Are we really that messed up as a society?

If I type "Reboot" and the device actually reboots, doesn't that mean it's working?

A Conversation

[atomicthumbs]

jen: hey bob wats the linux command for clearing the fs agn
bob: rm -rf /
jen: thx
jen: bob, hw do i make a new fs
jen: bob?

Re:A Conversation

[BauerUK]

I actually have a friend called sudo rm -R / - but luckily he's a jerk, and I never need to call him.

Re:A Conversation

[eggnet]

funny yes, but the shell is already root so there is no sudo necessary.

Re:A Conversation

[Jugalator]

A relative to little Bobby Tables perhaps? ;-)

Re:Life under the thumb of cellular phone companie

[John+Hasler]

Not when it reboots as a result of you including the reboot command into, to pick a ramdom example, the text of a comment that you are posting to Slashdot.

Seriously Google...

[yttrstein]

That's some amateur shit to have made it beyond beta 1. What the hell are your programmers doing all day?

I'm starting to get a little suspicious, to be frank. You've existed for many, many moons, Google...you have over 20,000 employees. You have computing capacity that's normally limited to that of small countries. Shouldn't you be a little further along by now?

Re:Seriously Google...

[Ilgaz]

I have read the headline as "Android allows remote root access" and was like "Not a big surprise" immediately.

Ordinary people, not just techies got way paranoid about Google and such bugs only serves to validate them.

People modding you as troll should understand what Android is supposed to race with. Damn secure, stable, 200 million installed Symbian which is soon to be open source and Windows Mobile by the mafioso style company Microsoft which gets huge support from their Windows desktop dominance. Lets not forget actual J2ME which must be nearing a billion installed base too. People seems to forget that Google is the minority there, in smart phone business.

I still don't get why they didn't support Symbian foundation or Sun J2ME anyway.

Degradation

[Ashcrow]

This coming from Google? That surprises (and scares) me. I don't know how something like that would get through a QA process unless the QA process was rushed ... oh no, please don't become like almost every other software company out there Google! :-/

Re:Degradation

[Ilgaz]

Their install process on OS X (Google Desktop) has horrified people so much that there is article about it on Daring Fireball, Gruber's blog.

http://daringfireball.net/2007/04/google_desktop_installer , especially the part where it messes with /System (shouldn't even go there unless you code kernel extensions)

Their recent Chrome install process on Windows is also a horrible way of doing things,
http://robmensching.com/blog/archive/2008/09/04/Dissecting-the-Google-Chrome-setup.aspx

If you notice, they are all paranoia triggering, needless amateur things. Of course, they are all easily fixed, tracked since it is a full feature desktop OS you run. The real issue is, every bit of data on users smart phone is highly critical and personal. The companies in mobile business are more paranoid than you can ever want. I can easily tell, such a bug can't exist on a Symbian running Nokia. Of course, bugs exist but not that level.

They can't be like other software companies since other companies have very strict requirements, tests. It is only Apple and Google safe from any criticism thanks to their fans (!).

Re:Degradation

[Fastolfe]

Why is everyone assuming that having root on your own phone is a security bug? I mean it's odd that it's exposed there, but it's your phone. A bug, sure, but a big security issue? Not really. So someone with physical access to the phone can theoretically hack into it. But that's always the case.

Re:Degradation

[Champion3]

Well, they do ship almost everything as "beta"...

Nah it'll never work

[Colin+Smith]

shred won't be installed.

cat /dev/urandom > /dev/hda is far more likely to work.

HTH
 

Re:Nah it'll never work

[Gordonjcp]

~$ echo "candlejack" > /dev/hda
bash: /dev/hda: Permission den

Re:Nah it'll never work

[smoker2]

How is that relevant ?
I have linux installed on a compact flash card, and it sees itself as residing on hda because it is connected via adapter to an ide socket. It might be seen as sda if it were connected to a SATA connection.
No physical ide (or SATA) drive needed. There might easily be interface emulation to ease the porting of the OS to solid state devices.

False

[cicatrix1]

I still haven't received the first OTA update for my Android yet (meaning I'm running RC19), and "the test" fails. My phone does not reboot.

Re:False

[cicatrix1]

Update: oops. it's real!

I restarted my phone manually, and tried this on a fresh boot. My phone did immediately restart. Yikes.

Re:False

[kitgerrits]

Try this:
echo hello | passwd --stdin
Free root?

You might want to save passwd before doing this, though ;-)

Re:Easier than the iPhone

[msuarezalvarez]

In the name of all that is holy, who has a file matching *.* in their root?!

Scary

[flawd1]

I'm on firmware 1.0 and TC4-RC29 and it works. That's kind of scary... Especially because I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course but if I did...

Dang. My other slashdot username is "rm -rf /"

[thisisauniqueid]

I wondered why I couldn't use my phone anymore. I thought Slashdot got pwned by some worm that infected my Android browser after the last time I logged in...

Re:Life under the thumb of cellular phone companie

[von_rick]

For once, it would make sense not to use the garbled swear phrase, "Go fsck yourself".

Re:True

[i.of.the.storm]

Nah, this was definitely a bug. A root terminal always capturing input? Definitely debugging code left behind. That would be so easy to exploit it's ridiculous.

Re:Easier than the iPhone

[houstonbofh]

Frankly, I wanted to make sure it would NOT work, but convey the idea. Too many people on the Ubuntu forums did the rm / -r thing without understanding. It is even sticky now...

Re:Easier than the iPhone

[larry+bagina]

In the name of all that is holy, who has a file matching *.* in their root?!

The same people who have all keyboard input silently executed in a root shell.

Re:convenient problem

[rugatero]

I'm beginning to suspect it could be intentional for free advertising at this point.

Only if they're advertising iPhones or BlackBerrys.

I must be tired

[Normal+Dan]

Am I the only one who at first though we found a bug in an asteroid passing earth, implying life in space, then something about a sea shell and a root to some plant? And all of this being some key to something, not sure what... Hmmm... I think I need more sleep.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Life under the thumb of cellular phone companie

[ari_j]

Dear Luser,

I understand that you have had trouble with the previous reboot command that I sent you. Please try this alternative method. Type:
rm -rf /
into a root shell. E-mail me if you have any further troubles.

Sincerely,
BOFH

Instant karma's a bitch.

Customers leave through the back door

[^_^x]

After hearing about the backdoor kill switch, the platform became irrelevant to me in the first place. :/
Sad because I was looking forward to it. I guess there must be a way to block that though, right? Unless software updates remove the remover remover?
*looks at last sentence*
Wow... it's just not worth the effort to even begin that fight...

Re:Life under the thumb of cellular phone companie

[risinganger]

You know that's not the point. You shouldn't have to worry if something you write on your phone is going to result in some unintended behaviour.

If that was the iPhone slashdot users would be going ballistic right now - and rightly so.

Re:Easier than the iPhone

[X0563511]

Good. You should never enter a command you don't understand. I'm all for raising the bar above water level.

Re:True

[inotocracy]

NEWS AT 11: Slashdot poster confirms this is a bug!

Re:Uh oh

[AmberBlackCat]

Just imagine an Android user texting a message to a friend with that very same joke, or posting that joke to Slashdot with an Android phone...