Recent Blu Update Locks Users out of Their Phones

An Android update that Blu shipped to Blu One Life X2 smartphones yesterday, November 28, has locked people out of their phones. From a report: On forums, Reddit, and Blu's official Facebook page, users are complaining that after applying the update and rebooting the device, their phone won't recognize their password, PIN code, or pattern lock, even if users are 100% sure they are entering the correct data. Bleeping Computer has independently verified this bug. "I updated my BLU Life One X2 around 2 hours ago. It asks for a password in order to access Android," said one of the Blu users facing this problem. "I am completely locked out of my phone. Ever single password used is marked incorrect." After ten "failed" login attempts, the user's data is wiped from the device, according to the standard Android OS behavior.

Android more secure than macOS

[Alain+Williams]

we learned earlier today that you can spoof login to become root on macOS -- this android feature makes it much, much more secure than macOS - you cannot login as root (or anything else) :-).

Re: Android more secure than macOS

Not much point when the first step of any update is to warn the user to back up any important data.

Re:Android more secure than macOS

LA LA LA Android is perfect!!! Look over here see an unrelated problem on a different system. Man those guys suck!!!

whoosh.

Re:Android more secure than macOS

[AmiMoJo]

To be fair TFA does make it sound like Android is pretty secure. No-one can get into these phones.

Re:Android more secure than macOS

[MikeBabcock]

Exactly what I was thinking -- if a backdoor were available, this wouldn't be such a problem for those involved lol.

Re:Android more secure than macOS

[jellomizer]

Except for the fact that there is a 3rd party tool that can change your password on your device. So while you may not be able to get in the phone, the app maker may be able to.

Re: Android more secure than macOS

[b0s0z0ku]

For $100, buy a Moto G4 Play -- as close to stock Android as you can get, removable battery, SD card. You can score the version that supports all US carriers for about $100+tax -- make sure you buy the one without Amazon lock ads.

Your first mistake

[OrangeTide]

Was thinking it was your phone. You paid the manufacturer for the right to carry it around, but they get to decide what software runs on it.

Re:Your first mistake

Or you could pretty easily install a custom ROM like LineageOS over the existing Android, thereby eliminating the ads and ensuring better security updates as well as not slowing down your device/locking out app updates as the device ages.

Re:Your first mistake

[CohibaVancouver]

Yep - It's frustrating.

Apple: 1) Pressure users into iOS upgrades until the phone eventually becomes unusable. 2) Release a product where you cannot install extra storage or (easily) replace the battery. 3) Eliminate headphone jack. 4) Create walled garden where it's extremely difficult to copy anything you want on and off the device. 5) Require management via iTunes, which, on Windows, is a fetid pile of stinking dingoes' kidneys. .

Android: All the fragmented spying versions, as you mention. Currently, I still give the edge to Samsung-Android, but it's annoying.

Re:Your first mistake

[WinstonWolfIT]

Same old tired argument.

Re:Your first mistake

[OrangeTide]

Which is actually one of my biggest issues with Android -- it's too damned fragmented.

If you don't like variety then stick with only purchasing Nexus devices. Google works directly with various vendors to make a device with a consistent experience. Pretend that the others variants of Android don't exist, this is something you can easily do as an end-user. (but not as an app developer)

Most of Android is Open Source, so you should not be surprised that every OEM gets to try something a little different. But because most customers upgrade phones regularly, there is not much incentive for the OEMs to maintain these forked code bases beyond a few dozen months. If you don't like it, take your money elsewhere, like to the flagship Nexus products.

Re:Your first mistake

[OrangeTide]

It's not so much an argument as an observation. I think the concept of property is changing in society, and primarily in favor of business rather than individuals.

Fake News

[Waffle+Iron]

Everybody knows that no phone manufacturer would ever actually do any software updates.

Look at the bright side

[DickBreath]

Locking people out of their smart phones might reduce people walking with their face glued to the tiny screen. Especially in crosswalks or near construction zones. It is even possible that people driving will stop looking at a phone that they are locked out of. Maybe not, but possibly.

Who knows, people might even discover this thing called 'outdoors' and become aware of what color the sky is.

Wiping after x failures

[Rik+Sweeney]

Why does anyone think this is a good idea?

Re:Wiping after x failures

[bzipitidoo]

My thought too. It strikes me as depending upon the thief, finder, or police inspector not knowing about that "feature", which makes it another "security by obscurity" method. And it shows a lack of confidence in encryption methods. If encryption works, then this wipe feature is at best useless, isn't it?

It enables toddlers to accidentally wipe your phone by imitating your use of the phone. Of course they could also drop your phone in the toilet. But this-- even the cat could wipe your phone. However, in my own experience, the battery going bad is still the number one way to fry a smartphone and lose its data.

Re:Wiping after x failures

[Swave+An+deBwoner]

I don't see that. The encryption "works" by limiting access to someone who knows your passphrase. If someone is allowed infinite time to brute force your passphrase then it's not the fault of encryption failing.

Re:Wiping after x failures

[green1]

Then make it an increasing timer with each attempt, rather than a wipe after X attempts.
It will quickly result in the same thing for a stolen phone, but will give you a chance to save your phone before your 2 year old wipes all your data.

BLU appears to be popular in Latin America

[Ecuador]

For those who don't know BLU, I had never heard of them either, so I assumed it is some sort of small Chinese OEM, but actually it seems BLU (Bold Like Us) phones are popular with the Latin population in the Americas. They have been known to to send data to China, so I guess their reputation is not top notch...

Re:BLU appears to be popular in Latin America

[rklrkl]

Blu are a US company that mostly releases clones of Chinese phones (i.e. keeps the hardware and Anglicises/Blu-brands the software - but there's still "Chinglish" to be found in the UI in a few places!). They seem to exclusively sell on Amazon from what I can see and some models have limited release w.r.t. which countries (i.e. which Amazon country store) you can buy them from. My Blu Vivo 6 was exclusively on Amazon UK, but the "successor" - the Blu Vivo 8 - seems to only be on Amazon US for example.

As you say, they got pulled a few times from Amazon for dodgy data leakage, but they didn't stay off for long (good on Amazon for forcing them to fix things - Blu had no choice because Amazon is their lifeline).

The phones themselves are usually very good value for money, but other than the data thing, the big black mark is that software updates to the OS are few and far between (or try "never" for my 1-year-old Blu Vivo 6). The lack of updates is why, ultimately, I wouldn't recommend them - you may as well go to the Chinese route and find an equivalent or better phone that *does* get updates (I picked the Umidigi Z1).

Re:BLU appears to be popular in Latin America

[twokay]

The MI5 is a great phone and has a very stable LineageOS ROM. Not sure how good the LineageOS ROM for the 5s is, and there is no official MI6 ROM yet. But you can still by a MI5 for a 65% discount on a Samsung flagship or 75%+ discount on an iPhone. You do have to create a "MI Cloud" account to unlock the boot loader, and wait a couple of days for them to enable your account for unlocking.

Not sure I trust their MIUI ROM with my data.

Re:Really? Andriod is that easy to DOS?

[MBGMorden]

If you've lost physical posession of the phone you're already toast. As a security feature they just assume that if you can't get the password within 10 tries you're not the actual owner and it's best for the phone to wipe itself rather than site their waiting for them to brute-force it.

Also for most of your stuff it's backing up to the cloud anyways so if your phone erases itself you just get a new one, enter your Google account, and it's all still there anyways.

How BLU Turned on its user base.

[Zombie+Ryushu]

BLU Started out to be one of the GSM Good Guys. They offered a MediaTek based, inexpensive, near Stock Android experience I own two BLU Studio 5.0C devices, and two BLU R1 HD. They didn't have locked bootloaders. They supported proper FastBoot and Recovery. Most applications were not installed in the system parition. Root was easy.

Then you found out that BLU either couldn't, or wouldn't update the version of Android on their devices, instead they would patch KitKat or Lollipop against whatever vulnerabilities they have. This was because their MediaTek Drivers made updatng the roms very likely to break things. Then, after a few years, they started dropping support for devices entirely.

Then came things like the Sponsorship deals with Amazon to put Ads on lock screens... and this started with the R1 HD... and... oh boy... here we go. Here came the locked bootloaders. Here came the Amazon Preloads of whatever App they had. When people started rooting them to get rid of that garbage, they responded by altering their Preloaders to patch out Fast Boot Access, and disable SP Flash tools. By this time there were TWRP recoveries, Alternate Stock roms, and LineageOS Builds.

They not only disabled SP Flash Tools for their Amazon suppoerted models, but every model post the R1 HD that wasn't Ad supported.

The last straw for me was the ADUPS Debacle, and the MTK Logger vulnerability, and I promise you, I will not buy another device from BLU.

Who needs testing....

[gweihir]

Real men just change the program code, of course it will work as intended!

Re:What a Blu-per

[Oswald+McWeany]

I'm surprised Blu is still around. Surely after the multiple spyware discoveries and all the other crap surrounding Blu, there isn't anyone left that doesn't know to avoid Blu.

Re:Well duh... It says One Life

[Oswald+McWeany]

Were you expecting to reboot and get a free bonus life?

I'm waiting for the hashtag #blulivesmatter

The other side of that coin

[SuperKendall]

Apple is once again a leader in usability!

Although your message is sadly dated, there's already an OSX patch out.

Re:The other side of that coin

[TheFakeTimCook]

Apple is once again a leader in usability!

Although your message is sadly dated, there's already an OSX patch out.

Not to mention that Apple published a Knowledgebase Article pretty much instantly, telling Users how to stop the login vulnerability by assigning a password to root.

IOS did that same thing to me

[shawn95gt]

Well not exactly the same thing, but close enough. One day out of the blue my iPhone asks for a 6 digit PIN where it was previously configured with a 4 digit PIN. Wipe / reset / total loss. I'm happy to be back on Android but I will say the IOS experience wasn't near as painful as I expected once I got used to not having an app drawer.

Doh!

[kamapuaa]

All those cheapskates saving ten cents a day by getting some mid-range Android phone instead of an iPhone must be really regretting their decision right now.

Re:Doh!

[AvitarX]

BLU $180 (if I'm spendy), free decent case, 18 month life
iPhone, $600, $60 for a bulky case, 3 years life maybe, Though by the end, my 18 month BLU is gonna be a better phone.

At best that's $0.30/day, and a huge bulky phone, double lose.

BLU quality

[SeriousTube]

This isn't good. Thankfully my Blu R1 plus is not affected. Of course, people will bash them for this and other things but there is no other phone of this quality out there for $160. I'm very happy with it.

this is sad, because I have a BLU and like it...

[gosand]

I have the Life One X, and I got it because of all of the good reasons you stated. Dual-SIM, good features, mostly stock, unlocked, and $150. So I got one for myself and for my wife. It came with Lollipop, and I thought it would never get udpated... but it did! They updated it to Marshmallow earlier this year. I was shocked and happy. I sung the praises of BLU.

Then the spying came out.... and I was nervous, but my phone wasn't affected. My wife cracked the screen on hers, and we just couldn't go with BLU again, so she got a Moto. When mine dies or becomes too outdated, I don't see how I could choose BLU again. It's unfortunate, it seemed they were doing so many things right.

Re:What a Blu-per

[rwven]

The bottom line is that you can buy a pretty decent entry-level Blu android phone for about a hundred bucks.

The vast majority of the world has ZERO idea what goes on in tech news. They just walk into best buy, or browse amazon, and see what looks to be a pretty good phone for a relative bargain.

Re:What a Blu-per

[fahrbot-bot]

I'm surprised Blu is still around. Surely after the multiple spyware discoveries and all the other crap surrounding Blu, there isn't anyone left that doesn't know to avoid Blu.

To paraphrase something my Dad used to sing... "If I had a horse for every time Blu made me blue, I'd have a yard full of horse... shoes."

Headline should be Major shock: Blu updates exist

[rklrkl]

I've had a Blu Vivo 6 for a fraction over a year now (bought on Black Friday 2016 - its actual release day here in the UK) and there's not been a *single* update for it (not even a minor one). So it's stuck on Android 6.0 and an Android security patch level from way back in September 2016! Looking at Blu's Facebook/Twitter, it's full of people with Blu phones begging for any sort of updates...and getting right royally fobbed off by Blu staff every time ("we're working on it", "it's coming soon"...for a full year?!). It seems Blu just abandon a phone on launch and release its successor 6-12 months later with the updates instead (yep, there's a Blu Vivo 8 with Android 7 available in the US now, but the specs aren't that much better than the Vivo 6).

This annoyed me so much, I've just bought a Umidigi Z1 (more RAM, faster CPU/GPU, Android 7, dual rear cameras, multiple updates this year, costs 50 pounds less) to replace it. A shame really, because the Vivo 6 is actually a nice phone - if it had gone to Android 7 like the Vivo 8 has, I'd have kept it for much longer.

Re:I'm sure this impact a lot of people

[dk20]

walmart, bestbuy and others carry them. (in the stores, not just online).

https://www.walmart.com/search...

Ha ha. But seriously ...

[Ungrounded+Lightning]

Everybody knows that no phone manufacturer would ever actually do any software updates.

Ha ha. But seriously ...

Now you know one big reason WHY they don't like to push updates.

"It's working. Why risk bricking it? Especially since we'd brick ALL of 'em and incur enormous costs fixing the oopsie!"

IMHO why not just progressively longer times?

[Ungrounded+Lightning]

IMHO a better approach might be to, after a few tries, have progressively longer times before another try is allowed.

With the right backoff algorithm you can allow only a finite. and reasonably small. number of tries even in infinite time. But the alternative of also shortening the interval with time when no attempts are being made can make it return to normal behavior after a reasonable time, even if it had been poked at for a long time (at the cost of allowing an arbitrary number of tries in infinite time).

The downside is that the phone doesn't render the data permanently unavailable to other attack methods (such as unsoldering, decapping, debug-port probing, etc.) if the password guessing is tried and fails.

Re:Really? Andriod is that easy to DOS?

[Ungrounded+Lightning]

Also for most of your stuff it's backing up to the cloud anyways so if your phone erases itself you just get a new one, enter your Google account, and it's all still there anyways.

Assuming you allow such backup, which also makes all your data available to Google and any state actor (or other party) that can coerce them.

My BLU hasn't patched KRACK yet

[KWTm]

I've had a Blu Vivo 6 for a fraction over a year now (bought on Black Friday 2016 - its actual release day here in the UK) and there's not been a *single* update for it (not even a minor one).

I'm still waiting for BLU to patch the KRACK vulnerability on my phone.

I got a BLU Advance phone for $75 on Amazon. Nice phone, dual SIM, 5.5", 64GB SD card expansion, Android Marshmallow. This just this past summer (just before Amazon took them off the market for leaking data to China).

For the longest time, it bugged me to update the OS, but I thought: "It works. Why update and risk installing crapware?"

Then KRACK happened. And my BLU phone was still asking to be updated.

I saw that the date of the update predated the discovery of KRACK, so I knew that if I updated, it would not protect from KRACK. However, no other update was available, and eventually I figured that perhaps my failing to install a previous update was preventing a newer update from happening.

So, reluctantly, I updated. Immediate regret. First, after updating, there was no other update available. I didn't get to shield my phone from KRACK, and I'm still waiting for an available update.

Second, it installed this new BLU app that kept telling me to register, and also showed me some "great deals!" on services and things I can pay for. Umm, no thanks.

Third, it messed up my keyboard. The BLU phone originally came with this decent swipe keyboard, not just the standard one that came with Google. That disappeared, and it took a whole week for me to figure out that I wanted to install the TouchPal keyboard app, and another week of hesitation while I read reviews about the keyboard app showing intrusive advertisements, and finally I figured out that I could install the "TouchPal For HTC" app that would work equally well but not have the ads. Apparently it still wasn't the same version as previously, as there were a few glitches (e.g. holding down the N key defaults to the letter with a foreign diacritical, not the question mark which is far more commonly used).

So, for my troubles of agreeing to upgrade, I got: no KRACK protection, ads, and a decline in keyboard function.

No thanks, BLU. Can anyone tell me if CyanogenMod or whatever jailbreak is compatible with the BLU phones?

trivial to solve

[WindBourne]

Send $5000 in bitcoin to china and they will unlock it.
Until then, the CHinese gov owns you.

Re:I'm sure this impact a lot of people

[b0s0z0ku]

You can also buy them in no-name cell phone stores in immigrant-heavy sections of large US cities.

Re:ecigs?

[b0s0z0ku]

Different firm, apparently.

Blu dumbphones...

[b0s0z0ku]

Blu also makes a line of candybar (non-flip, with keypad) dumbphones. The Zoey 3G goes for about $30. They're decent if you want a device to just talk and text on, and work with networks that dropped 2G coverage like AT&T. They don't have the creepy telemetry of smartphones today, they're not smart enough.

  Their only problem is lack of predictive text.

Called it (no, not really)

[OneAhead]

Bomb, Live Unit. Looks like it just went off.