Linked by David Adams on Sun 9th Nov 2008 16:50 UTC, submitted by Hakime
Bugs & Viruses There's a bug in Android that crosses over from the realm of serious into self-parody: "It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!"
Order by: Score:
Howie S
Member since:
2005-07-14

Too bad about this bug - the first generation of anything is bound to be buggy.

Still, it's a good example of the open source development model leading to bugs being exposed and patched sooner.

Good on Google and the open source community for not simply keeping silent or sweeping it under the carpet. Proof of the power of open source.

Reply Score: 0

Kroc Member since:
2005-11-10

Too bad? Too bad?
This is an absolute disaster.
It is an unmitigated failure.

How can you paint a complete failure to protect the customer's personal data and security, a good thing and "proof of the power of open source"?

If it were Microsoft or Apple, they would be instantly ripped a new one.

A bug like this might write Android out of the enterprise market, permanently.

Reply Score: 13

irbis Member since:
2005-07-08

A bug like this might write Android out of the enterprise market, permanently.

Good points, but Android is still very, very young, practically beta only. Most people haven't even considered purchasing the product yet for that exact reason.

We all know that new products quite often have many bugs, although maybe not as serious as this one, usually. Making permanent judgments may thus be a bit early.

If seen from a positive point of view, hopefully the Android team will now learn their lessons from this, permanently, and there will never be as serious security announcements for Android again. It is up to them, and only time will tell.

Reply Score: 5

Kroc Member since:
2005-11-10

Aye, I agree, this needs serious action from Google. Their whole security review process, needs reviewing.

Reply Score: 3

google_ninja Member since:
2006-02-05

The fact that this made it to beta is pretty bad...

Reply Score: 1

aesiamun Member since:
2005-06-29

A beta product should never be sold with a 2 year contract attached to it.

Reply Score: 5

capricorn_tm Member since:
2005-12-31

Dear Lord, my friend!

You think our good friends at Redmond are aware of this very truth?

Reply Score: 1

aesiamun Member since:
2005-06-29

What Microsoft product comes with a two year contract? I have yet to have to sign anything and lock myself into a provider for 2 years just to use something from them...

Reply Score: 2

joshv Member since:
2006-03-18

The T-Mobile G1 is less a beta product that the release version of iPhone 3G was. Now T-mobile's 3G network - *that's* a beta product.

Reply Score: 1

christianhgross Member since:
2005-11-15

WTF? Are you being serious here?

The iPhone was a real product from day 1.... It might not have had all features, but it was a real product.

Reply Score: 2

christianhgross Member since:
2005-11-15

Oh give me a break...

As one Android individual said to me, "This will the hotest phone on the planet! Bigger than iPhone!"

YEAH RIGHT!

What the Google people need to do is get back to planet earth... This company reminds me very much of Netscape in its heyday.

Around 1996 I attended the only conference Netscape ever held. And it was at that time I said, "Netscape is dead." While Google might not be dead, Google is not going anywhere quick...

Reply Score: 0

ari-free Member since:
2007-01-22

Good points, but Android is still very, very young, practically beta only.

everything google is beta

Reply Score: 2

Almindor Member since:
2006-01-16

Um.. Android might be "open source" by definition of the word, but it was not DEVELOPED open source.

It was developed closed source and then release, so what you see here is typical corporate closed source software quality.. after review too.

If it was OSS from the get-go this wouldn't get past 0.1.

Reply Score: 8

renox Member since:
2005-07-06

As with Apple, Google can update remotely the firmware so this bug won't last long, so the bug in itself won't be present for long.

As for the psychological impact, it's harder to guess on one hand this bug required physical access so on a normal scale it should be seen as less severe that remote exploit, but as the tittle of the article show 'worst bug ever', the 'simplicity' of the 'exploit' makes it appear worse than it is.

It's not the first time that debug code which stay in production create vulnerability issue: I remember an Ubuntu version where the installer showed the root password in clear in its logs.

Reply Score: 4

DigitalAxis Member since:
2005-08-28

And that was pretty dumb too.

I don't know; when I think open software on the one hand I think limitless potential, on the other hand, I think 'how many people are going to exploit this for malicious purposes?'

If it's open and someone's watching, they'll be found out pretty quick. On the other hand, Google seems to have beat them to it, shipping software that COMES with a rootkit preinstalled. Hooray!

Reply Score: 1

renox Member since:
2005-07-06

Uh? The open/closed source has nothing to do with security: OpenBSD is an example of an opensource project where security is treated seriously, Windows is a good example of a closed source OS which used to be 'defective by design'.

Reply Score: 4

hobgoblin Member since:
2005-07-06

i wonder how long it would take microsoft to roll out a patch if a similar issue would show up in windows mobile...

Reply Score: 2

joshv Member since:
2006-03-18

Calm down.

"How can you paint a complete failure to protect the customer's personal data and security, a good thing and "proof of the power of open source"?"

I have a G1 phone, with the bug. Can you please explain to me how my personal data and security are at risk? I imagine I could type 'telnetd' and connect to my wireless network, and then forward port 23 to my phone. Even if I were so stupid, probably nothing would happen. Not much malware out there looking for idiots who launched telnetd on their phone and then opened it up to the Internet.

Reply Score: 3

3rdalbum Member since:
2008-05-26

Krok: Apple introduces ridiculous security problems all the time; admittedly none exactly like this, but some pretty dumb schoolboy ones. Sometimes it doesn't fix them for close on a year. There are very few people who bother to criticise Apple for this.

Reply Score: 1

G1 phone
by buff on Sun 9th Nov 2008 17:09 UTC
buff
Member since:
2005-11-12

It is funny reading about this bug. I just happened to get my G1 phone in the mail and I was setting it up. I was looking forward to using the keyboard to make messaging faster. Now I guess I will have to be mindful of staying away from 'reboot' 'rm', etc. I have to agree with the writer of the article this is probably one of the worst bugs I have heard about. It reminds me of the Futurama episode where Bender has a bomb inside of him and there is a secret word which sets it off. Of course Bender tries to figure out the word and says 'antiques' and he blows up. Funny how reality imitates fiction. Possibly this should be called the Bender bug. I look forward to a forthcoming update. Until then I guess I will have to type very, very carefully and not mention the word reb**t when typing.

Edited 2008-11-09 17:14 UTC

Reply Score: 4

RE: G1 phone
by sakeniwefu on Mon 10th Nov 2008 10:18 UTC in reply to "G1 phone"
sakeniwefu Member since:
2008-02-26

If the root filesystem has the standard tools typing <enter>cat<enter> should protect anyone for the rest of the session and until they update the OS.

Reply Score: 2

v Not an Android issue
by kwag on Sun 9th Nov 2008 17:18 UTC
RE: Not an Android issue
by buff on Sun 9th Nov 2008 17:32 UTC in reply to "Not an Android issue"
buff Member since:
2005-11-12

This is an OS issue. Not an Android issue.

You are right about this. I was reading in the Android forum and people were discussing how debugging code in the kernel was left in which pipes text entry into the shell. The debugging code should have been removed or disabled before deployment. Oops.

Reply Score: 2

RE: Not an Android issue
by sbergman27 on Sun 9th Nov 2008 17:39 UTC in reply to "Not an Android issue"
sbergman27 Member since:
2005-07-24

This is an OS issue. Not an Android issue.

Besides... this is open source. Our security bugs can be as egregious as you please. But as long as a patch is released quickly we can pat ourselves on the back and collect our accolades. ;-)

Google started rolling out the patch yesterday.

Edited 2008-11-09 17:44 UTC

Reply Score: 4

RE[2]: Not an Android issue
by mjg59 on Sun 9th Nov 2008 20:55 UTC in reply to "RE: Not an Android issue"
mjg59 Member since:
2005-10-17

It's nothing to do with the kernel, other than the kernel working as designed. Input event devices are multiplexed through /dev/console and passed to the foreground virtual terminal. If you've launched a graphical environment in that terminal then the keyboard events will be passed back to it. If you also happen to be running a shell underneath that terminal, then bad things are obviously going to happen. The easy workaround is not to run a shell on that terminal. The correct one (which then works independent of the shell) is to put the console in KD_RAW mode, which prevents the passthrough of events. We hit the same issue in X during the migration from the old kbd driver to the new evdev one.

Reply Score: 2

Ummm...
by looncraz on Sun 9th Nov 2008 18:13 UTC
looncraz
Member since:
2005-07-24

Why didn't anyone realize the size difference of the OS??

If it was compiled in debug-mode, it is going to be rather noticeably larger, often multiples of times larger with some debug options.

I'm guessing this was just a debug-mode feature which was not #ifdef'd out properly when switching the build to release-mode.

Though, I'd think that simply providing a menu entry or quick-combo to route access to the term would be smarter than all text... I mean, you really can't observe the operation of the phone properly with debug-mode features in place anyway - I've seen dozens of program work perfect in debug-mode and act HORRIBLY in release mode because they developers never even tried it, just assumed it was okay ( I'm guilty of this one, too ).

Oh well, I don't buy phones for computing, I buy them to talk to people... weirdos.

--The loon

Reply Score: 7

It's actually pretty cool
by joshv on Sun 9th Nov 2008 18:14 UTC
joshv
Member since:
2006-03-18

Just type "telnetd", hit return, and you can then telnet into a root shell on the device and poke around.

Until an OTA fix is pushed out though, I am going to be a bit careful about the things I type in email.

Reply Score: 2

RE: It's actually pretty cool
by buff on Sun 9th Nov 2008 18:51 UTC in reply to "It's actually pretty cool"
buff Member since:
2005-11-12

telnetd is pretty wild. I was looking through the file system with a 'ls -al'. I used 'cp' to copy some data files to the SD card. Cool for backing up. I couldn't help myself and tried the 'reboot' command. Yep, my G1 phone rebooted as soon as I pressed enter. It is kind of creepy knowing that you could just be IMing someone about a shell command and the phone will respond as if the command was issued with superuser privileges. Not so good for security.

Is there a Terminal application for Android. It would be nice to be able to killall an errant process.

Edited 2008-11-09 18:56 UTC

Reply Score: 2

RE[2]: It's actually pretty cool
by helf on Mon 10th Nov 2008 00:11 UTC in reply to "RE: It's actually pretty cool"
helf Member since:
2005-07-06

can you not normally get to root on your android powered phone? I guess you could set it up now so that you could get root access with ease and then update the phone when they release a fix and keep your changes.

Reply Score: 2

bug or feature?
by poundsmack on Sun 9th Nov 2008 18:57 UTC
poundsmack
Member since:
2005-07-13

this might be done intentionaly so that google can record your key strokes. this is an advertising company after all, this way it knows what to market to you. if thats the case it is a rather large invasion of privacy, but i wouldnt put it past them

Reply Score: 0

RE: bug or feature?
by StephenBeDoper on Sun 9th Nov 2008 21:22 UTC in reply to "bug or feature?"
StephenBeDoper Member since:
2005-07-06

I think that Google could probably come up with something a *tiny* bit more sophisticated if they wanted to run a keylogger on the iPhone.

And that's aside from the fact the damage to Google's reputation, if they actually did something like that and it were discovered (which it inevitably would be) would far outweight any possible benefit.

Reply Score: 5

RE[2]: bug or feature?
by StephenBeDoper on Mon 10th Nov 2008 02:04 UTC in reply to "RE: bug or feature?"
StephenBeDoper Member since:
2005-07-06

I think that Google could probably come up with something a *tiny* bit more sophisticated if they wanted to run a keylogger on the iPhone.


Whoops, small Freudian slip there ;)

Reply Score: 2

RE[2]: bug or feature?
by DrillSgt on Mon 10th Nov 2008 08:52 UTC in reply to "RE: bug or feature?"
DrillSgt Member since:
2005-12-02

"And that's aside from the fact the damage to Google's reputation, if they actually did something like that and it were discovered (which it inevitably would be) would far outweight any possible benefit."

What reputation? They willingly sell your information...they have no rep but a bad rep for anyone paying attention. They track your every move and hand it over on demand to the highest bidder. You actually think they have a good reputation?

Reply Score: 2

RE[3]: bug or feature?
by dagw on Mon 10th Nov 2008 11:00 UTC in reply to "RE[2]: bug or feature?"
dagw Member since:
2005-07-06

You actually think they have a good reputation?

Yes I do think they have a great reputation. Ask 1000 random people about their opinion of Google and I am sure that most people will say that they are very happy with Google and their services. Only a tiny fraction will even be aware of the privacy concerns you mention, and only a fraction of those again will be seriously concerned or bothered.

On the whole I'd say Google probably has one of the best reputations in the whole tech industry. What gave you the idea that they didn't?

Now if they deserve the reputation they have is another, and totally unrelated, question.

Reply Score: 3

RE[4]: bug or feature?
by DrillSgt on Mon 10th Nov 2008 17:13 UTC in reply to "RE[3]: bug or feature?"
DrillSgt Member since:
2005-12-02

"Now if they deserve the reputation they have is another, and totally unrelated, question."

Fair enough.

Reply Score: 2

RE[3]: bug or feature?
by StephenBeDoper on Mon 10th Nov 2008 13:41 UTC in reply to "RE[2]: bug or feature?"
StephenBeDoper Member since:
2005-07-06

What reputation? They willingly sell your information...they have no rep but a bad rep for anyone paying attention. They track your every move and hand it over on demand to the highest bidder. You actually think they have a good reputation?


Somehow, despite reading three or four tech sites daily, I managed to miss those damning details. Maybe you could tone down the bombast and post some links that substantiate... err, I mean enlighten us poor inattentive folks about the horrors of google?

Reply Score: 2

RE[4]: bug or feature?
by DrillSgt on Mon 10th Nov 2008 17:12 UTC in reply to "RE[3]: bug or feature?"
DrillSgt Member since:
2005-12-02

"Somehow, despite reading three or four tech sites daily, I managed to miss those damning details. Maybe you could tone down the bombast and post some links that substantiate... err, I mean enlighten us poor inattentive folks about the horrors of google?"

Don't read just the tech sites..keep up with industry news.

http://www.vnunet.com/vnunet/news/2217063/google-handing-user-infor...

http://www.marketingpilgrim.com/2008/04/google-will-hand-over-your-...

The crime of the above link itself is extremely bad and the people guilty should be put to death. The focus is on the fact that Google keeps and turns over your personal information.

http://blogs.techrepublic.com.com/tech-news/?p=1647

That is just 3 links. Granted, they are legal links. Google's business model is advertising, which includes handing over your personal data to companies as well. Where do you think all that junk mail comes from addressed to you in your mail box? All companies sell information, is just another way to make money.

You can trust them all you want, I for one do not.

Reply Score: 2

RE[5]: bug or feature?
by StephenBeDoper on Tue 11th Nov 2008 19:10 UTC in reply to "RE[4]: bug or feature?"
StephenBeDoper Member since:
2005-07-06

Don't read just the tech sites..keep up with industry news.


None of the links that you posted are news - at least not to anyone who's taken the two or three minutes required to skim over the google "privacy overview" page.

The crime of the above link itself is extremely bad and the people guilty should be put to death.


I really hope that's rhetoric.

The focus is on the fact that Google keeps and turns over your personal information.


In all the examples that you posted, they were required to do so by a court order or other legal ruling. The basic reality is: if you operate in a country, you're bound by their legal system (within the limits of that country's jurisdiction, of course).

You or I may not like those rulings or the laws that they're based on - but those are problems of the particular countries' legal systems.

Google's business model is advertising, which includes handing over your personal data to companies as well.


You can substantiate that claim? Since the Google privacy policy states otherwise, selling personal information would be significant breach of privacy laws (at least in some countries).

You can trust them all you want, I for one do not.


Thanks for your permission and all, but where does trust enter in? I simply choose not to hop onto the anti-Google bandwagon without some reason more substantial than blind, knee-jerk anti-populism.

Reply Score: 2

What ? it's not a Feature ??
by mmu_man on Sun 9th Nov 2008 19:01 UTC
mmu_man
Member since:
2006-09-30

I mean who needs anything else beside a console ?
Though it'd be better if the result was displayed.
That's called a Terminal emulator. surely Google can find one :p

Reply Score: 2

Comment by siki_miki
by siki_miki on Sun 9th Nov 2008 20:41 UTC
siki_miki
Member since:
2006-01-17

Wow. A phone that will turn your sms into scripting.Still, Linux shell commands aren't so similar to common language so disasters should happen rarely. Except for giving instructions on how to do something in the shell ;)

Anyway, Android phones are still new, not that there are millions of them around waiting to execute root commands.

Reply Score: 2

Come on...
by Ikshaar on Sun 9th Nov 2008 20:51 UTC
Ikshaar
Member since:
2005-07-14

Am I the only one who find this rather funny (and yes I have a G1).

I understand the guy is upset but unless there is a security consequence to it, not everyone write to his girlfriend "reboot", shutdown" or "cd /; rm -rf *"

Reply Score: 1

RE: Come on...
by StephenBeDoper on Sun 9th Nov 2008 21:23 UTC in reply to "Come on..."
StephenBeDoper Member since:
2005-07-06

That was my first thought too - "I wonder if anyone has done an rm -rf / to their phone yet."

Reply Score: 2

RE: Come on...
by Bending Unit on Sun 9th Nov 2008 21:38 UTC in reply to "Come on..."
Bending Unit Member since:
2005-07-06

They will now. But not to girlfriends of course.

Reply Score: 2

RE: Come on...
by pysiak on Sun 9th Nov 2008 21:49 UTC in reply to "Come on..."
pysiak Member since:
2008-01-01

Or boyfried. Anyway, I wonder if that was actually close to being exploitable as a mobile DOS by sending text messages to millions of people with: 'reboot'.

Those devices are a new platform to excercise playful maliciousness.

Reply Score: 1

RE[2]: Come on...
by umccullough on Sun 9th Nov 2008 22:35 UTC in reply to "RE: Come on..."
umccullough Member since:
2006-01-26

Or boyfried. Anyway, I wonder if that was actually close to being exploitable as a mobile DOS by sending text messages to millions of people with: 'reboot'.

Those devices are a new platform to excercise playful maliciousness.


it has to be typed on the keyboard directly.

The "girlfriend" reference is related to the article linked - where the guy who discovered the bug was texting to his girlfriend - it wasn't meant to suggest only guys have them ;)

Reply Score: 2

RE: Come on...
by buff on Sun 9th Nov 2008 23:40 UTC in reply to "Come on..."
buff Member since:
2005-11-12

I agree with you. It is a little funny. There are always those that make it sound like the sky is falling. The chances are slim that I would send a message to someone with reboot in it. Just the fact that this bug made it through QA is mind-boggling. It is also alarming though how much it opens your phone up to potential hacking.

Reply Score: 2

setec_astronomy Member since:
2007-11-17

No. This is evidence, that Linux based OSes in particular (and *nix systems in general) enable a myriad different ways to shoot yourself marvelously in the foot, especially if you are sloppy with your quality control process which is the most likely cause for this blunder of epic dimensions.

You would have a point, if this setup would somehow be
recomended by some kind of semi-official documentation, or if it were common practice, or .... . But since this is not the case (and since similar configurations would be without a doubt possible with other *nix systems too), I can't agree to blame a certain family of operating systems for the stupidity of the packagers of this phone.

Reply Score: 2

Jokel Member since:
2006-06-01

Nope - it is a proof the developers where more than a bit stupid. The Linux kernel where you referring to does not have this bug. It is the software added to it and stupid use of user rights.

Don't forget this software is not developed by an open source process, but "out-of-sight" of the OS community. In other words - it was closed source until the source was published.

Only AFTER the source was published the bug was discovered. This bug probably was not discovered in the short term if the software was closed source. In other words - closed source would prevent to discover this bug, leaving the phones unsafe until someone stumbled upon it by accident. And that's the best scenario. If that someone would keep it silent and use it, it would be a different matter.

And that's the problem with closed source. There could be (and most probably are) a lot of bugs in closed software the "normal" user does not know. If they are discovered by not good willing people, the "normal" user is in danger without even knowing about it. There is no way he could know it. That makes closed source in fact more dangerous to use than open source.

I do not belief in "security by obscurity", and this is a perfect example. If the source was not opened this bug could be in the software forever, only known by a few bad willing guys. I must admit the bug is not that disastrous (only people with direct access could do something with it), but how many phones with closed software have a similar or worst bug? This last question cannot be answered, because nobody (except maybe a few "shady" people - and the developers) know about it.

Reply Score: 3

v Welcome...
by jmgarciaaix on Mon 10th Nov 2008 13:02 UTC
RE: Welcome...
by neowolf on Mon 10th Nov 2008 16:37 UTC in reply to "Welcome..."
neowolf Member since:
2005-07-06

Though most non-geeky people won't ever know about this bug if they have the phone. The odds of typing a command that would execute at random are fairly low. They'd just quietly get an update and life continue on being "easier". Much like if they were using any other platform.

Reply Score: 1