T-Mobile G1 Rooted 246
An anonymous reader writes "T-Mobile's G1 phone, the first commercially available Android based phone, has been rooted. The exploit is extremely simple to execute, just requiring you to run telnetd from a terminal on the phone, and then connecting to the phone via telnet."
Rooted? (Score:5, Funny)
Re: (Score:2, Informative)
-- unless it's setuid, of course.
Re: (Score:2)
*whoosh*
people other than the person running telnetd can gain root access to the device.
Re:Rooted? (Score:5, Funny)
in related news, researchers have discovered that if you open a root console on any flavour of linux and stick the keyboard out a window anyone walking by will be able to gain root access to you machine.
Re:Rooted? (Score:4, Informative)
And it also works in the other way... you can put your already rooted equipment into any window, and anybody inside that house will be able to gain root access, and also call the
police
Re:Rooted? (Score:5, Funny)
Clearly, we should avoid using windows.
Re:Rooted? (Score:5, Insightful)
The much better question is: why is there a telnetd on the phone in the first place?
Re:Rooted? (Score:5, Insightful)
Because telnetd has some tiny fraction of the system overhead of ssh daemons, even "tiny" ones.
Comment removed (Score:5, Funny)
Re: (Score:3, Informative)
CPU usage for an SSH daemon during an interactive session, while it probably is higher than a telnet daemon, is still low enough (0.005% instead of 0.001%, perhaps?) that it'll most likely get lost in the noise. I have dropbear running on a WRT54GL, and it has no trouble keeping up. The trivial CPU usage is worth the added security. It might crunch a bit more during session setup when it's using public-key encr
Re:Rooted? (Score:4, Insightful)
News Flash
Houses are rootable. If you unlock your doors and hang out a 'rob me' sign, people can break in.
Re:Rooted? (Score:4, Insightful)
If the door's unlocked, it's hardly "breaking in," is it?
Re:Rooted? (Score:5, Informative)
If the door's unlocked, it's hardly "breaking in," is it?
Yes it is.
The "Breaking" part of "Breaking & Entering" refers to breaking the plane of entry, not physically damaging anything.
"Breaking" is not actually a separate action from "Entering". The reason they are used together is for clarity...one word derives from Old English, and the other word derives from French. Writing laws this way was useful when the Normans and Saxons were trying to cohabitate on the same island.
There are many legal terms constructed the same way:
Null and void
Cease and desist
Last Will and Testament
Aid and Abet
Goods and Chattels
Terms and Conditions
etc.
Re:Rooted? (Score:5, Funny)
Null and void
These are very different things, at least if you are a C programmer.
In addition to... (Score:5, Funny)
So are Terms and Conditions.
Terms are the things around your pluses and minuses.
Conditions (in my interpretation) are expressions of an integral type inside a conditional statement.
I wouldn't want to handle volatile chemicals or long johns or union jacks if I'm about to get struct bylightning. Happened to me once, a long long time ago.
Re:Rooted? (Score:5, Funny)
Your right, dammit. Should be "NULL && void*".
Wow, that's two languages in which you've completely failed. In less than sixty characters.
Re: (Score:2)
"refers to breaking the plane of entry"
No it doesn't. It meant breaking your way in, just like it sounds. The application of the laws later changed to any forcible entry and finally to even using just the force required to open an unlocked door. Isn't it great how judges can change our laws without rewriting them?! In some states the laws *have* been changed to call any trespass of an enclosed property "breaking and entering". I guess they liked the name. It's kinda cool.
"Breaking the plane" is an explanati
Re:Rooted? (Score:5, Informative)
Erm.... Breaking and entering is exactly what it says. Just entering is call trespassing, and just breaking is called criminal damage. Don't ask me how I know :).
Re:Rooted? (Score:5, Funny)
How do you know?
Re: (Score:2)
Re:Rooted? (Score:5, Funny)
Re:Rooted? (Score:4, Funny)
That reminds me of the van owner that put up a sign saying 'No tools or valuables inside'
The next morning it had been broken into and the theives had left a note saying 'Just checking'
Re:Rooted? (Score:4, Funny)
No. Needs citation and permanent link to reputable source. We will then run it past the legal department and conduct a full analysis of all facts and observations and, upon filing the requisite forms, of course, only then will we consider your suggestion of "humor". Please allow the standard six to eight weeks for the laugh.
Re:Rooted? (Score:5, Funny)
Agreed. Non-story. This is just stupid.
Excuse me sir... I would like to hack into your phone. Could you please type this in for me...
Re:Rooted? (Score:4, Insightful)
To be fair though, lots of people /are/ stupid enough to fall for this kind of thing... consider how well that "I love you" worm or whatever it was did a few years back.
With the right method, I'm sure you could con people into doing something silly with an Offical-sounding text message, and then exploit it.
Re:Rooted? (Score:5, Funny)
i dunno. tech support operators have a hard enough time walking the average person through how to run ipconfig on their windows PCs. trying to get the average person to open a terminal in Linux to run anything would be like trying to walk a cow down a flight of stairs.
Re:Rooted? (Score:4, Insightful)
The BEST ringtones!
The FUNNIEST jokes!
REAL horoscopes tailored for YOU!
Sports! Fashion! Celebrity gossip! Keno numbers!
Just text FAIL to 37528!
Sign up now and get a free spinning rim background!
SPECIAL BONUS for G1 owners!
After texting FAIL to 37528, open up telnet to receive your mystery gift!
Text FAIL to 37528, TODAY!
Re: (Score:3, Informative)
> Agreed. Non-story. This is just stupid.
Guess you didn't actually read the material. This shouldn't work but somehow a privledge escalation is allowing a non-root user to invoke telnetd and then to connect from outside and actually get a root shell. So the owner of the hardware is able to break int T-Mobile's software. Oh the horror!
So far it is more likely to simply get patched instead of developing into a full jailbreak but stay tuned. The camel's nose has entered the tent, it just might be able t
I haven't followed the whole Android business, but (Score:5, Funny)
...wasn't this supposed to be an open platform anyway? I don't quite get it.
Re: (Score:2)
What don't you get? Someone ran a network service on an open platform, the service was buggy, the device got exploited (in theory, anyways).
Re:I haven't followed the whole Android business, (Score:5, Informative)
Sorry, I fail for not RTFA. They are misusing "rooted", which confused me. "rooted" in the popular [geek] vernacular means that a remote non-admin user can gain root access, such as through a buffer overflow exploit. It has nothing to do with the practice of gaining root access on your own devices.
Re: (Score:2)
Sorry, I fail for not RTFA. They are misusing "rooted", which confused me. "rooted" in the popular [geek] vernacular means that a remote non-admin user can gain root access, such as through a buffer overflow exploit. It has nothing to do with the practice of gaining root access on your own devices.
I think they're using it to imply that you're renting access to Google's OS instead of gaining ownership of it, so you're gaining root access against the owner's intent.
Trojan Apps (Score:2)
This in theory means any trojan app that requests "internet access" can telnet in and root the device it runs on.
That's a sizable risk
Re: (Score:2)
if you have a trojan on your system then you're already rooted. being able to run telnetd is not a security problem.
if on the other hand telnetd started up on its own, or could be remotely triggered, then it'd be a serious security flaw.
Re: (Score:2)
That's a sizable risk
No more sizable than on any platform that's remotely "open". If I can install and run unsigned apps, then trojans are a risk. If I can only run signed apps, then the risk is mitigated by exactly the same amount that the signing authority is trustworthy.
Trojan apps are just a risk.
Re:I haven't followed the whole Android business, (Score:5, Insightful)
What's next, "open"?
Re:I haven't followed the whole Android business, (Score:4, Insightful)
Don't forget "bricked".
Bricked used to mean you took the piece of equipment out to the firing range for its final trouble "shooting".
Now it means you just press the reset button.
Re: (Score:2)
Re: (Score:2)
Which is why it makes an excellent shooting target.
Re: (Score:3, Informative)
Re: (Score:2)
Sure you will. I know people are working on it (guess I'm going to be guinea pig for this again). Most HTC Windows Mobile devices this has been done long ago (and usually takes only a couple of days after a new one comes out).
Not having the signing keys is usually not that much of an issue (just disable the key check).
Coral to the rescue (Score:4, Interesting)
Coral Cache [nyud.net]
On a side note... a hyphenated domain name! How retro...
Re:Coral to the rescue (Score:4, Funny)
Re:Coral to the rescue (Score:4, Insightful)
I've never understood why so many web programmers insist on parsing E-mail addresses, very few are capable of doing it correctly. I usually use splab+someidentification@mydomain.tld - this way I can track where I submitted the address they got - but since programmers insists on parsing the E-mail address they almost always considers + to be invalid.
Just send the person a confirmation E-mail and bobs your uncle.
Re: (Score:2)
You said it yourself - the problem is that they get it wrong, not that they do it. I use a regular expression that checks that it matches the RFC specification. A double hyphen passes, as does an address with a + in. I confirm the addresses afterward, the validation is just to check that they haven't done anything really stupid, like starting their street address in the "email address" field.
Validation is mostly about helping the user - I can't tell if they've put an incorrect address/email address/name/wha
Re: (Score:2)
Re: (Score:3, Informative)
As for validating emails, check that there's at least one @ and that the part after th
You could (Score:2)
You could always send them a POST request to their "contact us" page, explaining them about the problem.
They are likely to believe that you are sending them an email when in fact they're sending themselves an email.
They're also likely to not know the difference between a million datagrams and a ton of data.
Of course the contact us page rejects the address you enter into the address field.
Fortunately, they're competent enough to know that clients can always be trusted, so you can just post your complaint wit
Re: (Score:2)
I didn't mean nuthin' by it, honest! :)
I think you come across far fewer hyphens these days... I think people are comfortable just stringing words together, and so that has emerged as the de-facto standard. myspace, youtube, facebook, etc. A quick look at the alexa top 100 shows only one hyphen in the whole bunch.
Bad Idea (Score:4, Insightful)
Re: (Score:3, Funny)
Re: (Score:2)
That's funny, especially the list of people who also run as root. I made a root account on my Macs, just for the reasons mentioned in that funny article. Typing sudo all the time drives me mad.
Re: (Score:2)
Screw that, I just wiped OS X from my Mac Pro and installed XP.
Take that, bitches!
Wait...so.... (Score:4, Insightful)
Re:Wait...so.... (Score:4, Informative)
No, you don't have to run as root first. (Score:5, Informative)
It's apparently weirder than that. Running "telnetd" as an ordinary user apparently allows remote logins as root. This happens even though the "telnetd" executable does not apparently come with permissions set-UID to root. If that's correct, there's a security hole somewhere else that's being used by accident here. Is "login" a set-UID program on Android phones?
(As a robotics guy, I hate the name "Android" being used for a telephone. It's the worst choice since "U.S. Robotics" which ended up as a modem company.)
Re:No, you don't have to run as root first. (Score:4, Interesting)
Just about everyone in the robotics community calls them humanoid robots anyway. "Android" and "droid" are pretty much confined to sci-fi, and by the time we have real androids, I'm pretty sure this phone OS will be a thing of the past. Sure, Ishiguro's current work in this area is pretty interesting, but even those robots are only mistaken for humans from a distance, and they aren't mobile.
Re: (Score:2, Funny)
As a robotics guy, I hate the name "Android" being used for a telephone.
This makes about as much sense as hating Apple because you're a grocery store clerk.
hmnn? (Score:2)
Re:hmnn? (Score:5, Funny)
Re: (Score:2)
Well, its a problem if you are both security conscious AND stupid.... oh how I wish that was a much smaller intersection than it actually is....
Yes... but we're talking here about a level of stupidity that would preclude the incredibly small demographic that would be smart enough to start telnetd in the first place.
Re: (Score:2)
You obviously haven't met our security people.
They are quite qualified in the are of procedures.
I think I saw this somewhere:
"procedures are the last refuge of the incompetent."
Re: (Score:2)
Re: (Score:2)
I've found that the most powerful "no porn in the workplace" document is a letter of termination for creating an inappropriately uncomfortable or hostile work environment. Nobody who receives such a letter ever checks porn from the company's computers again, and most of their coworkers don't either.
Re: (Score:2)
This is like saying... (Score:5, Insightful)
This is like saying something is "bricked" when it's just a bad firmware flash that can be fixed.
The phone isn't rooted. Rooted means someone gained root access through an exploit and/or installed a root kit. Running telnetd and then connecting as root is a normal method of logging in, no exploits required.
Or are they saying every UNIX system that has a method of remote access is rooted?
Re:This is like saying... (Score:5, Funny)
Well, I found an exploit to alter the root password on Unix systems. It's really simple. You just login or su to root, then run the command 'passwd'. Works every time.
Re:This is like saying... (Score:5, Informative)
Well, given that it's a device that isn't designed to be root-accessible by the user, this did require somebody to do something that the manufacturer didn't intend in order to gain root access.
Re: (Score:2)
parent++
Seriously, it's at least KIND OF a deal. First, there was no terminal of any sort on an android phone since I got mine Oct. 20th. So ~16 days from my receiving it to getting a root terminal. The pTerminal program is in many ways useless, as it's a really crappy terminal. But this is just what the doctor ordered.
Now, as I understand it the bootloader on the phone is encrypted or some such thing, so installing your own firmware is probably tivo-lockedout, but I'm not sure at all. I know android's
You missed something important... (Score:2)
This telnetd didn't ask for a login or password - it just went straight to a root shell prompt.
Re: (Score:2)
On a single-user device, the account you use is often root. Telnet typically has to run initially as root in order to listen on port 23. It then normally drops privs to the user who logs in. If the intent of the application wasn't to allow root access, then there's a bug in the telnet daemon. On a single-user device which is likely running in single-user mode, I'm not surprised it's easy to have a shell as root, though. I would expect this system they've been calling wide open to be, well, wide open.
Re: (Score:3, Informative)
Re: (Score:2)
So if I have sex with a woman, I've rooted her?
Come to think of it, rooting around in a woman sounds good.
(off to find a woman).
--Toll_Free
They left Telnetd on it? (Score:4, Insightful)
What???
Telnetd is one of those things that should just be deleted from every system that it is on.
Just use SSH folks.
No it isn't (Score:2)
I have a small LAN with 2 machines at home behind a hardware firewall thats generally not connected to the internet anyway. Why do I need to run sshd on them when telnetd does me fine?
Re: (Score:2)
why not run sshd on them?
You can even do ssh tunneling and use scp. Plus if you ever put them on the internet you will not have to "remember" to take telnet off.
Re: (Score:2)
Re: (Score:2)
Take a good at the number of vulnerbilities in ssh these past few years compared to telnet. Not to mention ssh is very cpu intensive for an embedded device.
Re: (Score:2)
Take a good at the number of vulnerbilities in ssh these past few years compared to telnet.
oh yeah, telnet is super secure
Not to mention ssh is very cpu intensive for an embedded device.
I have SSH running on my phone, on my switch and on my UPS without any issues. you have absolutely no excuse for using telnet (unless it's a MUD or something).
Re: (Score:2)
It's not setuid if it runs as root and has the privs of root. In fact, not setting the uid would be the issue (if there's actually any problem with a device's owner having access to his devices's administration).
Collective *gasp* (Score:2, Funny)
... everyone ready? one... two... three... *gasp*!!!
Exploit, Vulnerability, or "Working as Intended"? (Score:2)
Calling it an exploit is a stretch; perhaps it's just a vulernability, or dare I say, "working as intended"? I doubt google left such an obvious "security" flaw by mistake.
Whole lot of stupid going on in these replies .. (Score:5, Insightful)
The point of this exploit isn't so you can remotely hack other people's phones, it's so mobile hackers can get to a lower level than Android permits users to do, which will allow them to flash the phone with unsigned custom updates and what not and customise their phone more.
People should really read the articles and smarten up.
Re: (Score:3, Funny)
People should really read the articles and smarten up.
You must be new here.
Re: (Score:2)
Looking at his UID it is lower than yours. newbie
Isn't it MY device?? (Score:2)
Seriously... it makes the news, when a device is rooted, that you OWN? I mean, isn't that the point of owning a device? That you can do whatever you want with it?
Else it is not sold but leased. If they say they sold it, but do not give you root access, to me that is deliberate fraud and should be followed by a billon-dollar class-action lawsuit to sue them out of business.
How long before such news come out on the newest PC (eg from Dell)?
Oh, I forgot... that was a major "feature" of Vista, called TCPA.
Thank
Re: (Score:3, Funny)
I claim this first root post for Spain!
Shut up, Vespucci! (Score:2, Funny)
And it's not even Monty Python.
Smartphone - phone = PDA (Score:2)
Why cant they come out with a $100 android WITHOUT the phone capabilities? It would be a great and useful platform
A smartphone without the phone is called a PDA. And yes, there is a Linux PDA; you will just have to wait for the next preorder [openpandora.org].
Re: (Score:2)
I don't know that many people would call an iPod Touch a PDA...I think the term PDA has more to do with its intended use rather than any actual physical capabilities.
iPod Touch = PDA (Score:2, Funny)
That depends on your expansion of "PDA." Have you seen the Apple fanboys making out with their devices in public? I think that counts as PDA as well.
Re: (Score:2)
Re: (Score:2)
Because the phone capabilities and the applications are all it has going for it right now, when it comes to things like video and music the G1 is nearly incompetent right now, and that seriously kneecaps its chances of competing with the ipod touch.
Yes and No (Score:2)
I use the data capabilities far more than the phone capabilities.
The fact that it's only EDGE here until next week isn't really a big deal because i'm scarcely ever off wifi.
Re: (Score:2, Funny)
Re: (Score:2, Funny)
Where is the -1: WTF? mod?
What are you talking about? That could be a great reason for +1, too!
Re: (Score:2, Funny)
-1: Inbred
Re: (Score:2)
Because the user who wants to do this downloads and installs a telnet daemon. TAIYF.
Re: (Score:3, Interesting)
Next time, just run out and patent the idea. You could make some money.
Re: (Score:3, Informative)
Does this mean that telnetd is setuid root, or does it mean that you already have to have root to get root?
Neither. That is why this article is news.