Bug In Android Passes Keystrokes To Root Shell

pasokon writes "ZDNet reports on an Android bug in T-Mobile G1s with early versions of the firmware: 'When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. ... open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: (enter)-r-e-b-o-o-t-(enter). Poof, your phone will reboot.'"

Uh oh

[areusche]

So would typing:

Enter shred -vfz -n 100 /dev/hda

Do what I think it would do?

Life under the thumb of cellular phone companies..

[Rahga]

Are we really that messed up as a society?

If I type "Reboot" and the device actually reboots, doesn't that mean it's working?

Seriously Google...

[yttrstein]

That's some amateur shit to have made it beyond beta 1. What the hell are your programmers doing all day?

I'm starting to get a little suspicious, to be frank. You've existed for many, many moons, Google...you have over 20,000 employees. You have computing capacity that's normally limited to that of small countries. Shouldn't you be a little further along by now?

False

[cicatrix1]

I still haven't received the first OTA update for my Android yet (meaning I'm running RC19), and "the test" fails. My phone does not reboot.

Re:False

[kitgerrits]

Try this:
echo hello | passwd --stdin
Free root?

You might want to save passwd before doing this, though ;-)

Scary

[flawd1]

I'm on firmware 1.0 and TC4-RC29 and it works. That's kind of scary... Especially because I SSH'd into a friend's server and wrote out rm -rf / ... just to be funny ... I didn't hit enter of course but if I did...

Re:Easier than the iPhone

[houstonbofh]

Frankly, I wanted to make sure it would NOT work, but convey the idea. Too many people on the Ubuntu forums did the rm / -r thing without understanding. It is even sticky now...

Re:Open source, remember? fix already out

[Khyber]

Bingo - You won't see this sort of turnaround time for a fix for the iPhone.

and this is why FOSS is a champion to me - the community fixes the issue and everyone else can check the fix to make sure it's not malicious.

And this is why all gov't entities in the USA should use FOSS. The people/community as a whole can do a better job of keeping the government secure than corporations can.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Seriously Google...

[Ilgaz]

I have read the headline as "Android allows remote root access" and was like "Not a big surprise" immediately.

Ordinary people, not just techies got way paranoid about Google and such bugs only serves to validate them.

People modding you as troll should understand what Android is supposed to race with. Damn secure, stable, 200 million installed Symbian which is soon to be open source and Windows Mobile by the mafioso style company Microsoft which gets huge support from their Windows desktop dominance. Lets not forget actual J2ME which must be nearing a billion installed base too. People seems to forget that Google is the minority there, in smart phone business.

I still don't get why they didn't support Symbian foundation or Sun J2ME anyway.

Re:Degradation

[Ilgaz]

Their install process on OS X (Google Desktop) has horrified people so much that there is article about it on Daring Fireball, Gruber's blog.

http://daringfireball.net/2007/04/google_desktop_installer [daringfireball.net] , especially the part where it messes with /System (shouldn't even go there unless you code kernel extensions)

Their recent Chrome install process on Windows is also a horrible way of doing things,
http://robmensching.com/blog/archive/2008/09/04/Dissecting-the-Google-Chrome-setup.aspx [robmensching.com]

If you notice, they are all paranoia triggering, needless amateur things. Of course, they are all easily fixed, tracked since it is a full feature desktop OS you run. The real issue is, every bit of data on users smart phone is highly critical and personal. The companies in mobile business are more paranoid than you can ever want. I can easily tell, such a bug can't exist on a Symbian running Nokia. Of course, bugs exist but not that level.

They can't be like other software companies since other companies have very strict requirements, tests. It is only Apple and Google safe from any criticism thanks to their fans (!).

Re:Scary

[Anonymous Coward]

rm -rf / would not work. The key binding to type / (alt-another key) on the G1 is not recognized by the console.

JasonDP

[Anonymous Coward]

I have the Android build:
kila-user 1.0 TC4-RC29 115247

And i just tried this and it rebooted my phone. Really WTF. I imagine this will be fixed soon, but i do know several people have not received the RC29 OTA updates. I never did i had to manually update the phone, and as far as i know i do not have the patch to fix 'jailbreaking' the phone as its called.

Re:Open source, remember? fix already out

[harry666t]

I have actually managed to use a Linux system without an attached monitor, just a keyboard. I've been writing commands blindly and using "foo && python -c 'print chr(7)'" and alike to get some feedback through PC speaker. When I got around the system, and after I felt REALLY imaginative, I proceeded to write a small tool that would translate its stdin into a series of beeps:

python -c 'sys,time=__import__("sys"),__import__("time"); time.sleep(3); beepn = lambda x: [(sys.stdout.write(chr(7)), sys.stdout.flush(), time.sleep(0.3)) for i in range(int(x))]; [(beepn(ord(ch)/16), time.sleep(1), beepn(ord(ch)%16), time.sleep(2)) for ch in raw_input()]'

Yeah, it would beep ASCII codes of each char in hex.

It was fun :)

Re:Degradation

[Fastolfe]

Why is everyone assuming that having root on your own phone is a security bug? I mean it's odd that it's exposed there, but it's your phone. A bug, sure, but a big security issue? Not really. So someone with physical access to the phone can theoretically hack into it. But that's always the case.

Re:Open source, remember? fix already out

[harry666t]

Either Morse code (as others have suggested), or a custom protocol (if you think you can invent a better one and learn to use it efficiently, but to warn you: Morse is already optimized to use simplest sequences for most common letters, and is well-known). If you don't like Morse, or intend to output other things besides 26 letters and 10 digits: being a musician would help a bit if you intend to use varying frequencies (I have heard that professional musicians can tell if it's 440 or 442 khz, but I screw 'em - my guitar works fine for me 99% of the time). Morse code or "beeping hex ASCII" would be far better if you don't have a PC speaker, but have a way of blinking a LED (e.g. HD LED, keyboard LED, or somehow through a serial port). Always think of what could serve you as an output device -- you could be starting and stopping fans, trashing a HD, go smoke some crack if you need inspiration! :D

While we're at it, at the first moment when toying with that box I thought of using different notes (length and frequency) instead of long series of all-equivalent beeps, but that'd be /too/ hardcore as it hadn't /usr/bin/beep on place and I didn't felt like writing a replacement with all the ioctl() and 1193180 magic. Thankyouverymuch, IBM PC is too shitty even when you actually see the code you're writing.

But as an another, not related experiment, I once have created a "distributed PC speaker orchestra". Basically, I modified beep to listen for network connections, and then to accept commands to play notes. Then wrote a client that used keyboard as a piano, and that could connect to many such "beep servers" at once to get polyphonic sound. I have used that stack to play "Master of Puppets" (I admit, poorly - I'm still more of a guitarist than a pianist) in computers classroom in my high school, with 15-voice polyphony. Too bad I've lost the source >_<

And no, I'm not strange :D