Slashdot Mirror
Recent Blu Update Locks Users out of Their Phones (bleepingcomputer.com)
An Android update that Blu shipped to Blu One Life X2 smartphones yesterday, November 28, has locked people out of their phones. From a report: On forums, Reddit, and Blu's official Facebook page, users are complaining that after applying the update and rebooting the device, their phone won't recognize their password, PIN code, or pattern lock, even if users are 100% sure they are entering the correct data. Bleeping Computer has independently verified this bug. "I updated my BLU Life One X2 around 2 hours ago. It asks for a password in order to access Android," said one of the Blu users facing this problem. "I am completely locked out of my phone. Ever single password used is marked incorrect." After ten "failed" login attempts, the user's data is wiped from the device, according to the standard Android OS behavior.
we learned earlier today that you can spoof login to become root on macOS -- this android feature makes it much, much more secure than macOS - you cannot login as root (or anything else) :-).
Now you know why you're Blu.
Guess I won't be buying one of those.
Was thinking it was your phone. You paid the manufacturer for the right to carry it around, but they get to decide what software runs on it.
“Common sense is not so common.” — Voltaire
Were you expecting to reboot and get a free bonus life?
Time to install pay phones again. Oh, and none of that touch tone shit that allows prepaid cards to work, Ma Bell needs her coin revenue.
Everybody knows that no phone manufacturer would ever actually do any software updates.
It's a BLU phone, fer christ sake. Did people honestly believe that a cheap Chinese smartphone from not-Huawei/OnePlus/Xioamei wasn't going to be bad news? Hell, the top review on Amazon for the phone dates back to April stating that the phone ships with unremoveable spyware that's easily detected with free malware solutions.
Locking people out of their smart phones might reduce people walking with their face glued to the tiny screen. Especially in crosswalks or near construction zones. It is even possible that people driving will stop looking at a phone that they are locked out of. Maybe not, but possibly.
Who knows, people might even discover this thing called 'outdoors' and become aware of what color the sky is.
I'll see your senator, and I'll raise you two judges.
Why does anyone think this is a good idea?
Summation 2
For those who don't know BLU, I had never heard of them either, so I assumed it is some sort of small Chinese OEM, but actually it seems BLU (Bold Like Us) phones are popular with the Latin population in the Americas. They have been known to to send data to China, so I guess their reputation is not top notch...
Violence is the last refuge of the incompetent. Polar Scope Align for iOS
I'd go with blu for e-cigs, not so much for phones.
So all I have to do to wreck somebody's day is input a incorrect password 10 times and all their data is deleted? Seems like a huge DOS to me.
If you've lost physical posession of the phone you're already toast. As a security feature they just assume that if you can't get the password within 10 tries you're not the actual owner and it's best for the phone to wipe itself rather than site their waiting for them to brute-force it.
Also for most of your stuff it's backing up to the cloud anyways so if your phone erases itself you just get a new one, enter your Google account, and it's all still there anyways.
"People who think they know everything are very annoying to those of us who do."-Mark Twain
BLU Started out to be one of the GSM Good Guys. They offered a MediaTek based, inexpensive, near Stock Android experience I own two BLU Studio 5.0C devices, and two BLU R1 HD. They didn't have locked bootloaders. They supported proper FastBoot and Recovery. Most applications were not installed in the system parition. Root was easy.
Then you found out that BLU either couldn't, or wouldn't update the version of Android on their devices, instead they would patch KitKat or Lollipop against whatever vulnerabilities they have. This was because their MediaTek Drivers made updatng the roms very likely to break things. Then, after a few years, they started dropping support for devices entirely.
Then came things like the Sponsorship deals with Amazon to put Ads on lock screens... and this started with the R1 HD... and... oh boy... here we go. Here came the locked bootloaders. Here came the Amazon Preloads of whatever App they had. When people started rooting them to get rid of that garbage, they responded by altering their Preloaders to patch out Fast Boot Access, and disable SP Flash tools. By this time there were TWRP recoveries, Alternate Stock roms, and LineageOS Builds.
They not only disabled SP Flash Tools for their Amazon suppoerted models, but every model post the R1 HD that wasn't Ad supported.
The last straw for me was the ADUPS Debacle, and the MTK Logger vulnerability, and I promise you, I will not buy another device from BLU.
Real men just change the program code, of course it will work as intended!
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Apple is once again a leader in usability!
Although your message is sadly dated, there's already an OSX patch out.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Well not exactly the same thing, but close enough. One day out of the blue my iPhone asks for a 6 digit PIN where it was previously configured with a 4 digit PIN. Wipe / reset / total loss. I'm happy to be back on Android but I will say the IOS experience wasn't near as painful as I expected once I got used to not having an app drawer.
All those cheapskates saving ten cents a day by getting some mid-range Android phone instead of an iPhone must be really regretting their decision right now.
Slashdot: providing anti-social weirdos a soapbox, since 1997.
This isn't good. Thankfully my Blu R1 plus is not affected. Of course, people will bash them for this and other things but there is no other phone of this quality out there for $160. I'm very happy with it.
I have the Life One X, and I got it because of all of the good reasons you stated. Dual-SIM, good features, mostly stock, unlocked, and $150. So I got one for myself and for my wife. It came with Lollipop, and I thought it would never get udpated... but it did! They updated it to Marshmallow earlier this year. I was shocked and happy. I sung the praises of BLU.
Then the spying came out.... and I was nervous, but my phone wasn't affected. My wife cracked the screen on hers, and we just couldn't go with BLU again, so she got a Moto. When mine dies or becomes too outdated, I don't see how I could choose BLU again. It's unfortunate, it seemed they were doing so many things right.
My beliefs do not require that you agree with them.
Now, who is Blu? I've never heard of the company until now
You know, like Windows.
If not - if it asks first - and if you then remove your password before rebooting - does it still lock you out? With no password, it shouldn't. Then, once rebooted and updated, reapply a password. Messy, not user-friendly in the slightest, but it's a way out. Otherwise - tada! - a fresh clean like-new phone after 10 tries! Hope your data area backed up at Google Drive regularly...
After ten "failed" login attempts, the user's data is wiped from the device, according to the standard Android OS behavior.
Really? Does that mean I can wipe anybody's phone without knowing their unlock code / pattern, just as long as I can get my hands on it for a minute or two? Super easy denial of service.
I've had a Blu Vivo 6 for a fraction over a year now (bought on Black Friday 2016 - its actual release day here in the UK) and there's not been a *single* update for it (not even a minor one). So it's stuck on Android 6.0 and an Android security patch level from way back in September 2016! Looking at Blu's Facebook/Twitter, it's full of people with Blu phones begging for any sort of updates...and getting right royally fobbed off by Blu staff every time ("we're working on it", "it's coming soon"...for a full year?!). It seems Blu just abandon a phone on launch and release its successor 6-12 months later with the updates instead (yep, there's a Blu Vivo 8 with Android 7 available in the US now, but the specs aren't that much better than the Vivo 6).
This annoyed me so much, I've just bought a Umidigi Z1 (more RAM, faster CPU/GPU, Android 7, dual rear cameras, multiple updates this year, costs 50 pounds less) to replace it. A shame really, because the Vivo 6 is actually a nice phone - if it had gone to Android 7 like the Vivo 8 has, I'd have kept it for much longer.
Everybody knows that no phone manufacturer would ever actually do any software updates.
Ha ha. But seriously ...
Now you know one big reason WHY they don't like to push updates.
"It's working. Why risk bricking it? Especially since we'd brick ALL of 'em and incur enormous costs fixing the oopsie!"
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
IMHO a better approach might be to, after a few tries, have progressively longer times before another try is allowed.
With the right backoff algorithm you can allow only a finite. and reasonably small. number of tries even in infinite time. But the alternative of also shortening the interval with time when no attempts are being made can make it return to normal behavior after a reasonable time, even if it had been poked at for a long time (at the cost of allowing an arbitrary number of tries in infinite time).
The downside is that the phone doesn't render the data permanently unavailable to other attack methods (such as unsoldering, decapping, debug-port probing, etc.) if the password guessing is tried and fails.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Also for most of your stuff it's backing up to the cloud anyways so if your phone erases itself you just get a new one, enter your Google account, and it's all still there anyways.
Assuming you allow such backup, which also makes all your data available to Google and any state actor (or other party) that can coerce them.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I'm still waiting for BLU to patch the KRACK vulnerability on my phone.
I got a BLU Advance phone for $75 on Amazon. Nice phone, dual SIM, 5.5", 64GB SD card expansion, Android Marshmallow. This just this past summer (just before Amazon took them off the market for leaking data to China).
For the longest time, it bugged me to update the OS, but I thought: "It works. Why update and risk installing crapware?"
Then KRACK happened. And my BLU phone was still asking to be updated.
I saw that the date of the update predated the discovery of KRACK, so I knew that if I updated, it would not protect from KRACK. However, no other update was available, and eventually I figured that perhaps my failing to install a previous update was preventing a newer update from happening.
So, reluctantly, I updated. Immediate regret. First, after updating, there was no other update available. I didn't get to shield my phone from KRACK, and I'm still waiting for an available update.
Second, it installed this new BLU app that kept telling me to register, and also showed me some "great deals!" on services and things I can pay for. Umm, no thanks.
Third, it messed up my keyboard. The BLU phone originally came with this decent swipe keyboard, not just the standard one that came with Google. That disappeared, and it took a whole week for me to figure out that I wanted to install the TouchPal keyboard app, and another week of hesitation while I read reviews about the keyboard app showing intrusive advertisements, and finally I figured out that I could install the "TouchPal For HTC" app that would work equally well but not have the ads. Apparently it still wasn't the same version as previously, as there were a few glitches (e.g. holding down the N key defaults to the letter with a foreign diacritical, not the question mark which is far more commonly used).
So, for my troubles of agreeing to upgrade, I got: no KRACK protection, ads, and a decline in keyboard function.
No thanks, BLU. Can anyone tell me if CyanogenMod or whatever jailbreak is compatible with the BLU phones?
404555974007725459910684486621289147856453481154 in hex is "You sank my Battleship?"
[GPG key in journal]
Send $5000 in bitcoin to china and they will unlock it.
Until then, the CHinese gov owns you.
I prefer the "u" in honour as it seems to be missing these days.
Blu also makes a line of candybar (non-flip, with keypad) dumbphones. The Zoey 3G goes for about $30. They're decent if you want a device to just talk and text on, and work with networks that dropped 2G coverage like AT&T. They don't have the creepy telemetry of smartphones today, they're not smart enough.
Their only problem is lack of predictive text.
Bomb, Live Unit. Looks like it just went off.
I have a BLU Life One X2 phone and I love it. There is a website called blox2.com that has pretty much everything there is on rooting the device as well as user made roms and tools for the phone. When I got the phone last Christmas it was a nice upgrade over my old phone and pretty much everything about it was spectacular compared to what I was using. I had heard about their privacy concerns with other phones but I tried not to let that turn me off to cheap, amazing hardware.
I almost died laughing when I seen this article. I am so glad I opted out of using apps like PoGo and rooted my phone. I've been on the Drax rom for months (love it) and was completely unaware BLU had issued an update for it. This is why I want as much control over my devices as I can get. Next phone I'm going with a more reputable brand name and continue sticking to user communities for roms.