Slashdot Mirror

← Back to Stories (view on slashdot.org)

Kindle Fire and Nook Upgrades Kill Root Access

Posted by Unknown on from the bug-fixes-are-nice dept.

jfruhlinger writes "The Kindle Fire and Barnes and Noble Nook tablets are similar enough and close enough together in price that they ought to be fighting market share and one-upping each other in terms of features they offer users. But the latest OS upgrades to both gadgets claims to be an 'upgrade' while actually taking functionality away: both remove the ability to root the device." A more balanced way of looking at it is that the updates fix known local privilege escalation vulnerabilities. This might be more of an issue for people wanting to hack on the Nook Tablet: its bootloader is confirmed locked, but reports lean toward the Kindle Fire having an unlocked bootloader letting anyone flash their own software without needing to gain root first.

14 of 275 comments (clear)

  1. Good by A12m0v · · Score: 3, Insightful

    Root access was a security risk. I'm glad Amazon fixed that.

    --
    GENERATION 25: The first time you see this, copy it into your sig on any forum and add 1 to the generation.
    1. Re:Good by SJHillman · · Score: 5, Insightful

      Sort of like being able to open the hood on your car is a security risk.

    2. Re:Good by Anonymous Coward · · Score: 5, Insightful

      Yeah, seriously. When you have a security flaw that allows root privilege escalation you don't just decide not to fix that because the homebrewer's were using it as a convenient way to get access to the machine. If this was on an (open) desktop platform, such a flaw wouldn't really be tolerated for long.

      It's like when people are upset that an exploit in a game was fixed that people were using to win / get free stuf / etc, yet they don't get upset when a bug is fixed that was actually preventing them from completing a game.

    3. Re:Good by tepples · · Score: 4, Insightful

      Then let's roll with the analogy: why don't more Android devices have a legitimate hood release of sorts?

    4. Re:Good by betterunixthanunix · · Score: 5, Insightful

      If this was on an (open) desktop platform, such a flaw wouldn't really be tolerated for long.

      Which is why the user should simply be given root access to begin with. Instead of having to use privilege escalation attacks, users should just be able to hit a button or flip a switch to enable root access for themselves. Quick, easy, and perhaps voiding the warranty (but I think anyone who wants root access is willing to have no warranty).

      Why is this so hard?

      --
      Palm trees and 8
    5. Re:Good by mlts · · Score: 4, Insightful

      Bingo. One can just look at the Nexus line of devices and the "fastboot oem unlock" command and the warning given as the right way to go about doing this. This is enough of a hurdle to keep Joe Sixpack from doing it so he can see the dancing bunnies, but allows people who are willing to trash their device (and not bother calling hardware support) to do what they feel free to.

    6. Re:Good by Andy+Dodd · · Score: 4, Insightful

      Actually, a privilege escalation exploit IS a security risk.

      The unlocked bootloader means that on the Fire, this is at most a small speedbump in the process of modifying a device. However this prevents malware from gaining privilege escalation. (Most of the easiest Android rooting techniques like psneuter and rageagainstthecage relied on exploits that could and WERE also used by malware such as Droid Dream.)

      --
      retrorocket.o not found, launch anyway?
    7. Re:Good by nedlohs · · Score: 4, Insightful

      That's the point.

      That isn't what was removed. What was removed was a security flaw that let a non-root app running on the device get root priveledges.

    8. Re:Good by Moryath · · Score: 5, Insightful

      And yet if the car companies removed your hood release and required a special key or tool only available at the dealerships, you'd be screaming bloody murder and so would the mechanic's unions with good reason - in fact, several times there were class action lawsuits against GM, Ford, and Toyota due to their refusal to sell the appropriate adapters and codebooks necessary to troubleshoot or reset "check engine lights" and computer warnings to the 3rd-party mechanic shops.

      Imagine if the car companies wanted to take away your RIGHT to have your car fitted out with a turbocharger, or an aftermarket performance chip, or a better flywheel, or any number of other changes.

      Now why is it that people don't scream bloody murder when they have a computing device in their hand, personal property they purchase, and they're told "but you don't have admin rights to change anything so there"???

  2. Re:Neither advertise Android as a selling point by tepples · · Score: 4, Insightful
    Anonymous Coward wrote, in a slightly more inflammatory wording:

    Neither device [...] has access to the real android market.

    Maybe you should [...] go buy a real Android tablet...

    Which affordable, certified "real Android tablet" in the 7 to 8 inch range do you recommend instead of a Kindle Fire or Nook Tablet? Or are Kindle Fire and Nook Tablet like game consoles, sold at razor-thin margins or even at a loss to get people onto the manufacturer's store, and that's why they're so much cheaper than Google-certified devices?

  3. Follow the money by MonsterTrimble · · Score: 4, Insightful
    First off, is anyone surprised? As a business, I'm making sure:
    1) That people don't try to return the product when they screw it up doing something that the product wasn't intended to do (and it costs me money)
    2) That I eliminate a potential attack vector for malware which would lead to decreased sales and increased returns (which costs me money)
    3) That people are locked into using my products (which makes me money)

    This is all about the money people. This isn't about trying to screw over the 0.1% of people who buy the tablet - It's about maximizing the profits. And let's be realistic here - they will be recracked in short order.

    --
    I call it 'The Aristocrats'
    1. Re:Follow the money by betterunixthanunix · · Score: 4, Insightful

      That people don't try to return the product when they screw it up doing something that the product wasn't intended to do

      It is a computer, not a hammer. Since when do we declare that a computer is "not intended" to do something in software? If people were complaining that their Nook could not solve the Post correspondence problem, you would have a point.

      --
      Palm trees and 8
    2. Re:Follow the money by tepples · · Score: 3, Insightful

      That people don't try to return the product when they screw it up doing something that the product wasn't intended to do (and it costs me money)

      The proper way to fix this isn't to block all rooting but to provide a working recovery means to reset the operating system to factory state, restore applications from the market, and restore the user's data from automatic backup. Then figure out a way to segregate the user's data so that it doesn't have to be restored as often; the "/sdcard" partition in some Android devices has worked well for this.

      That I eliminate a potential attack vector for malware

      You can't neutralize malware without first defining malware. This involves enumerating the possible bad things that malicious software can do. Does this list of bad things miss anything?

  4. Re: Car Analogy by sunderland56 · · Score: 3, Insightful

    Much better car analogy: some car manufacturer comes out with a model where, if you hit the driver's door with your hand in the right place, the door unlocks. Lots of people buy the car and enjoy it, since you don't need to carry the keys around with you. Then the car manufacturer fixes the fault, and many people cry foul. Everyone misses the point that it is a generally bad idea to allow criminals to trivially get in to your car, and that locks are a *good* thing.