There’s a bug in Android that crosses over from the realm of serious into self-parody: “It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!“
Too bad about this bug – the first generation of anything is bound to be buggy.
Still, it’s a good example of the open source development model leading to bugs being exposed and patched sooner.
Good on Google and the open source community for not simply keeping silent or sweeping it under the carpet. Proof of the power of open source.
Too bad? Too bad?
This is an absolute disaster.
It is an unmitigated failure.
How can you paint a complete failure to protect the customer’s personal data and security, a good thing and “proof of the power of open source”?
If it were Microsoft or Apple, they would be instantly ripped a new one.
A bug like this might write Android out of the enterprise market, permanently.
Good points, but Android is still very, very young, practically beta only. Most people haven’t even considered purchasing the product yet for that exact reason.
We all know that new products quite often have many bugs, although maybe not as serious as this one, usually. Making permanent judgments may thus be a bit early.
If seen from a positive point of view, hopefully the Android team will now learn their lessons from this, permanently, and there will never be as serious security announcements for Android again. It is up to them, and only time will tell.
Aye, I agree, this needs serious action from Google. Their whole security review process, needs reviewing.
The fact that this made it to beta is pretty bad…
A beta product should never be sold with a 2 year contract attached to it.
Dear Lord, my friend!
You think our good friends at Redmond are aware of this very truth?
What Microsoft product comes with a two year contract? I have yet to have to sign anything and lock myself into a provider for 2 years just to use something from them…
The T-Mobile G1 is less a beta product that the release version of iPhone 3G was. Now T-mobile’s 3G network – *that’s* a beta product.
WTF? Are you being serious here?
The iPhone was a real product from day 1…. It might not have had all features, but it was a real product.
Oh give me a break…
As one Android individual said to me, “This will the hotest phone on the planet! Bigger than iPhone!”
YEAH RIGHT!
What the Google people need to do is get back to planet earth… This company reminds me very much of Netscape in its heyday.
Around 1996 I attended the only conference Netscape ever held. And it was at that time I said, “Netscape is dead.” While Google might not be dead, Google is not going anywhere quick…
Good points, but Android is still very, very young, practically beta only.
everything google is beta
Because open source zealots must see anything that open source does as good, no matter what. It is a religion to them, and like all religions they must twist everything and anything to validate themselves at least in their own eyes. I wish they’d put down their coolaid, or meth, or whatever the hell they’re addicted to and look around for a bit. This is a nasty security bug. Great that we know about it. But hmm, this is worse than a lot of them we’ve seen come out of either MS or Apple in the past few years… and they were rather open about most of their security issues too once they were being patch. This is no different, open source or no open source.
Um.. Android might be “open source” by definition of the word, but it was not DEVELOPED open source.
It was developed closed source and then release, so what you see here is typical corporate closed source software quality.. after review too.
If it was OSS from the get-go this wouldn’t get past 0.1.
As with Apple, Google can update remotely the firmware so this bug won’t last long, so the bug in itself won’t be present for long.
As for the psychological impact, it’s harder to guess on one hand this bug required physical access so on a normal scale it should be seen as less severe that remote exploit, but as the tittle of the article show ‘worst bug ever’, the ‘simplicity’ of the ‘exploit’ makes it appear worse than it is.
It’s not the first time that debug code which stay in production create vulnerability issue: I remember an Ubuntu version where the installer showed the root password in clear in its logs.
And that was pretty dumb too.
I don’t know; when I think open software on the one hand I think limitless potential, on the other hand, I think ‘how many people are going to exploit this for malicious purposes?’
If it’s open and someone’s watching, they’ll be found out pretty quick. On the other hand, Google seems to have beat them to it, shipping software that COMES with a rootkit preinstalled. Hooray!
Uh? The open/closed source has nothing to do with security: OpenBSD is an example of an opensource project where security is treated seriously, Windows is a good example of a closed source OS which used to be ‘defective by design’.
i wonder how long it would take microsoft to roll out a patch if a similar issue would show up in windows mobile…
Calm down.
“How can you paint a complete failure to protect the customer’s personal data and security, a good thing and “proof of the power of open source”?”
I have a G1 phone, with the bug. Can you please explain to me how my personal data and security are at risk? I imagine I could type ‘telnetd’ and connect to my wireless network, and then forward port 23 to my phone. Even if I were so stupid, probably nothing would happen. Not much malware out there looking for idiots who launched telnetd on their phone and then opened it up to the Internet.
Krok: Apple introduces ridiculous security problems all the time; admittedly none exactly like this, but some pretty dumb schoolboy ones. Sometimes it doesn’t fix them for close on a year. There are very few people who bother to criticise Apple for this.
It is funny reading about this bug. I just happened to get my G1 phone in the mail and I was setting it up. I was looking forward to using the keyboard to make messaging faster. Now I guess I will have to be mindful of staying away from ‘reboot’ ‘rm’, etc. I have to agree with the writer of the article this is probably one of the worst bugs I have heard about. It reminds me of the Futurama episode where Bender has a bomb inside of him and there is a secret word which sets it off. Of course Bender tries to figure out the word and says ‘antiques’ and he blows up. Funny how reality imitates fiction. Possibly this should be called the Bender bug. I look forward to a forthcoming update. Until then I guess I will have to type very, very carefully and not mention the word reb**t when typing.
Edited 2008-11-09 17:14 UTC
If the root filesystem has the standard tools typing <enter>cat<enter> should protect anyone for the rest of the session and until they update the OS.
This is an OS issue. Not an Android issue.
Read the article!
This is an OS issue. Not an Android issue.
You are right about this. I was reading in the Android forum and people were discussing how debugging code in the kernel was left in which pipes text entry into the shell. The debugging code should have been removed or disabled before deployment. Oops.
Besides… this is open source. Our security bugs can be as egregious as you please. But as long as a patch is released quickly we can pat ourselves on the back and collect our accolades. 😉
Google started rolling out the patch yesterday.
Edited 2008-11-09 17:44 UTC
It’s nothing to do with the kernel, other than the kernel working as designed. Input event devices are multiplexed through /dev/console and passed to the foreground virtual terminal. If you’ve launched a graphical environment in that terminal then the keyboard events will be passed back to it. If you also happen to be running a shell underneath that terminal, then bad things are obviously going to happen. The easy workaround is not to run a shell on that terminal. The correct one (which then works independent of the shell) is to put the console in KD_RAW mode, which prevents the passthrough of events. We hit the same issue in X during the migration from the old kbd driver to the new evdev one.
Why didn’t anyone realize the size difference of the OS??
If it was compiled in debug-mode, it is going to be rather noticeably larger, often multiples of times larger with some debug options.
I’m guessing this was just a debug-mode feature which was not #ifdef’d out properly when switching the build to release-mode.
Though, I’d think that simply providing a menu entry or quick-combo to route access to the term would be smarter than all text… I mean, you really can’t observe the operation of the phone properly with debug-mode features in place anyway – I’ve seen dozens of program work perfect in debug-mode and act HORRIBLY in release mode because they developers never even tried it, just assumed it was okay ( I’m guilty of this one, too ).
Oh well, I don’t buy phones for computing, I buy them to talk to people… weirdos.
–The loon
Just type “telnetd”, hit return, and you can then telnet into a root shell on the device and poke around.
Until an OTA fix is pushed out though, I am going to be a bit careful about the things I type in email.
telnetd is pretty wild. I was looking through the file system with a ‘ls -al’. I used ‘cp’ to copy some data files to the SD card. Cool for backing up. I couldn’t help myself and tried the ‘reboot’ command. Yep, my G1 phone rebooted as soon as I pressed enter. It is kind of creepy knowing that you could just be IMing someone about a shell command and the phone will respond as if the command was issued with superuser privileges. Not so good for security.
Is there a Terminal application for Android. It would be nice to be able to killall an errant process.
Edited 2008-11-09 18:56 UTC
can you not normally get to root on your android powered phone? I guess you could set it up now so that you could get root access with ease and then update the phone when they release a fix and keep your changes.
this might be done intentionaly so that google can record your key strokes. this is an advertising company after all, this way it knows what to market to you. if thats the case it is a rather large invasion of privacy, but i wouldnt put it past them
I think that Google could probably come up with something a *tiny* bit more sophisticated if they wanted to run a keylogger on the iPhone.
And that’s aside from the fact the damage to Google’s reputation, if they actually did something like that and it were discovered (which it inevitably would be) would far outweight any possible benefit.
Whoops, small Freudian slip there
“And that’s aside from the fact the damage to Google’s reputation, if they actually did something like that and it were discovered (which it inevitably would be) would far outweight any possible benefit.”
What reputation? They willingly sell your information…they have no rep but a bad rep for anyone paying attention. They track your every move and hand it over on demand to the highest bidder. You actually think they have a good reputation?
Yes I do think they have a great reputation. Ask 1000 random people about their opinion of Google and I am sure that most people will say that they are very happy with Google and their services. Only a tiny fraction will even be aware of the privacy concerns you mention, and only a fraction of those again will be seriously concerned or bothered.
On the whole I’d say Google probably has one of the best reputations in the whole tech industry. What gave you the idea that they didn’t?
Now if they deserve the reputation they have is another, and totally unrelated, question.
“Now if they deserve the reputation they have is another, and totally unrelated, question.”
Fair enough.
Somehow, despite reading three or four tech sites daily, I managed to miss those damning details. Maybe you could tone down the bombast and post some links that substantiate… err, I mean enlighten us poor inattentive folks about the horrors of google?
“Somehow, despite reading three or four tech sites daily, I managed to miss those damning details. Maybe you could tone down the bombast and post some links that substantiate… err, I mean enlighten us poor inattentive folks about the horrors of google?”
Don’t read just the tech sites..keep up with industry news.
http://www.vnunet.com/vnunet/news/2217063/google-handing-user-infor…
http://www.marketingpilgrim.com/2008/04/google-will-hand-over-your-…
The crime of the above link itself is extremely bad and the people guilty should be put to death. The focus is on the fact that Google keeps and turns over your personal information.
http://blogs.techrepublic.com.com/tech-news/?p=1647
That is just 3 links. Granted, they are legal links. Google’s business model is advertising, which includes handing over your personal data to companies as well. Where do you think all that junk mail comes from addressed to you in your mail box? All companies sell information, is just another way to make money.
You can trust them all you want, I for one do not.
None of the links that you posted are news – at least not to anyone who’s taken the two or three minutes required to skim over the google “privacy overview” page.
I really hope that’s rhetoric.
In all the examples that you posted, they were required to do so by a court order or other legal ruling. The basic reality is: if you operate in a country, you’re bound by their legal system (within the limits of that country’s jurisdiction, of course).
You or I may not like those rulings or the laws that they’re based on – but those are problems of the particular countries’ legal systems.
You can substantiate that claim? Since the Google privacy policy states otherwise, selling personal information would be significant breach of privacy laws (at least in some countries).
Thanks for your permission and all, but where does trust enter in? I simply choose not to hop onto the anti-Google bandwagon without some reason more substantial than blind, knee-jerk anti-populism.
I mean who needs anything else beside a console ?
Though it’d be better if the result was displayed.
That’s called a Terminal emulator. surely Google can find one :p
Wow. A phone that will turn your sms into scripting.Still, Linux shell commands aren’t so similar to common language so disasters should happen rarely. Except for giving instructions on how to do something in the shell
Anyway, Android phones are still new, not that there are millions of them around waiting to execute root commands.
Am I the only one who find this rather funny (and yes I have a G1).
I understand the guy is upset but unless there is a security consequence to it, not everyone write to his girlfriend “reboot”, shutdown” or “cd /; rm -rf *”
That was my first thought too – “I wonder if anyone has done an rm -rf / to their phone yet.”
They will now. But not to girlfriends of course.
Or boyfried. Anyway, I wonder if that was actually close to being exploitable as a mobile DOS by sending text messages to millions of people with: ‘reboot’.
Those devices are a new platform to excercise playful maliciousness.
it has to be typed on the keyboard directly.
The “girlfriend” reference is related to the article linked – where the guy who discovered the bug was texting to his girlfriend – it wasn’t meant to suggest only guys have them
I agree with you. It is a little funny. There are always those that make it sound like the sky is falling. The chances are slim that I would send a message to someone with reboot in it. Just the fact that this bug made it through QA is mind-boggling. It is also alarming though how much it opens your phone up to potential hacking.
this is the evidence that Linux security sucks: in fact G1 is Linux-based
Edited 2008-11-10 07:42 UTC
No. This is evidence, that Linux based OSes in particular (and *nix systems in general) enable a myriad different ways to shoot yourself marvelously in the foot, especially if you are sloppy with your quality control process which is the most likely cause for this blunder of epic dimensions.
You would have a point, if this setup would somehow be
recomended by some kind of semi-official documentation, or if it were common practice, or …. . But since this is not the case (and since similar configurations would be without a doubt possible with other *nix systems too), I can’t agree to blame a certain family of operating systems for the stupidity of the packagers of this phone.
Nope – it is a proof the developers where more than a bit stupid. The Linux kernel where you referring to does not have this bug. It is the software added to it and stupid use of user rights.
Don’t forget this software is not developed by an open source process, but “out-of-sight” of the OS community. In other words – it was closed source until the source was published.
Only AFTER the source was published the bug was discovered. This bug probably was not discovered in the short term if the software was closed source. In other words – closed source would prevent to discover this bug, leaving the phones unsafe until someone stumbled upon it by accident. And that’s the best scenario. If that someone would keep it silent and use it, it would be a different matter.
And that’s the problem with closed source. There could be (and most probably are) a lot of bugs in closed software the “normal” user does not know. If they are discovered by not good willing people, the “normal” user is in danger without even knowing about it. There is no way he could know it. That makes closed source in fact more dangerous to use than open source.
I do not belief in “security by obscurity”, and this is a perfect example. If the source was not opened this bug could be in the software forever, only known by a few bad willing guys. I must admit the bug is not that disastrous (only people with direct access could do something with it), but how many phones with closed software have a similar or worst bug? This last question cannot be answered, because nobody (except maybe a few “shady” people – and the developers) know about it.
…to open-source. That’s why you should pay for your OS and rely of a company that keeps a good, clean control of the product they sell.
Step aside from your geeky selves and put yourself as a consumer. Do you really want to know what’s going on and see problems like these? NOPE. You want the thing to make life easier for you!. My HTC Mogul and the iPhone 3g we have at home…do the latter.
Though most non-geeky people won’t ever know about this bug if they have the phone. The odds of typing a command that would execute at random are fairly low. They’d just quietly get an update and life continue on being “easier”. Much like if they were using any other platform.