Worst. Bug. Ever.

Worst. Bug. Ever.

Summary: It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell.


It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!

In the bug report (issue 1207) jdhorvat writes:

Funny story behind finding this:

I was in the middle of a text conversation with my girl when she asked why I hadn't responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated "Reboot" - which, to my surprise, rebooted my phone.

When I first read this I didn't believe it. Then I read it again, and again, and finally tried it for myself. It's true. Don't believe me? Save anything you're working on (this will reboot your phone!), open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: <return>-r-e-b-o-o-t-<return>. Poof, your phone will reboot. This only works on a real phone, not in the emulator, and only with firmware version 1.0 TC4-RC29 and earlier.

From the home screen select Menu > Settings > About phone, and look for the Build number (near the bottom). If you see this:

kila-user 1.0 TC4-RC29 115247 ota-rel-keys,release-keys (US)

kila_uk-user 1.0 TC5-RC7 112931  (UK)

then you're vulnerable. If you see anything later than RC29 in the US or RC7 in the UK then you already have the fix.

Because Android is open source, the problem was quickly tracked down by users to a couple lines in the system file init.rc. My guess is that this was accidentally left in during device debugging. Thankfully the fix is trivial; you can probably even make it yourself if you're so inclined (just comment out the offending lines described in the reports above and reboot).

Here's a workaround I just discovered: Open the keyboard and type these 5 keystrokes: <return>-c-a-t-<return>. That will cause the phantom shell to not listen to commands any more, at least until the next reboot.

A patch from Google should be on its way soon. Meanwhile, be careful what you type.

Updated 10Nov2008: The patch installed itself on my G1 this weekend. I can verify that the bug has been fixed, so it's safe to type "rm -r" in your instant messages again.

Topics: Telcos, Hardware, Mobility

Ed Burnette

About Ed Burnette

Ed Burnette is a software industry veteran with more than 25 years of experience as a programmer, author, and speaker. He has written numerous technical articles and books, most recently "Hello, Android: Introducing Google's Mobile Development Platform" from the Pragmatic Programmers.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • sounds like....

    Way back when... Bill was demo'ing a voice interface to windows when someone in the audience shouted out Format C colon....
    • LMAO... nt

    • I had to look this one up

      From 1998, http://www.orcopug.org/pdf/sept98.pdf :

      "Origin of urban legend

      Thanks for checking on the speech recognition
      story. Although grounded in fact,
      I?m afraid that tale has grown into something
      of an urban legend. (I seem to recall that
      Steve Bass of Pasadena had a lot to do with
      enhancing and recirculating it.)
      The straight scoop is a bit less
      amusing, but was hilarious enough at
      the time.

      Several years back, one of the
      speakers at a meeting of the
      Sacramento PC Users Group was
      demonstrating speech-recognition
      software. Just as the live portion of
      the demo was starting, a past-
      President named Rick Hellewell
      shouted out from the audience,
      ?Format C colon.? Nothing actually
      happened, but the comment brought
      down the house.

      This has since become a running
      joke, which someone feels obligated
      to repeat (with ever-decreasing
      hilarity) whenever a vendor demonstrates
      a speech-recognition product,
      most recently at our July meeting.
      Thank you for giving me the opportunity
      to set the record straight.

      ---Larry Clark, President
      Sacramento PC Users Group"

      I also found a reference to it here from 1993:
      Ed Burnette
      • good story anyway

        thanks for the reference. I didn't realize it was partially true...
      • Steve Jobs at Oracle World ('98?)

        While the above is apocryphal, I was present for a similar circumstance. Steve Jobs was keynoting at Oracle World, in the SanFran Hilton (i think it was '98) before he'd gone back to Apple. I think it was WebObjects or something. In any case, his PC, running Windows and Powerpoint, was having problems, and while there was the usual hemming and hawing and uncomfortable silence from the audience, after about 10 seconds someone way in the back said just loud enough to be heard, "Get a Mac".

        No one could hear anyone for about a minute, from the laughter.
  • Confirmed.

    I've just confirmed this bug on my test model of the G1 (pressed [enter] R-E-B-O-O-T [enter] and it rebooted on the spot).
  • Android is a java framework it doesn't have an init.rc

    The vulnerability clearly isn't in Android itself, it's in the operating system implementation (a custom linux distro?) on the G1 phone.

    To classify it as an Android bug is a bit wide of the mark.
    This is like saying that a Windows PC that boots a trojan on a CD has a vulnerability in Windows. Not so. The problem is in the CMOS settings allowing booting from CD.

    Note: there are many phones in progress that will run Android. They could even run Windows CE or Symbian under the java framework. Therefore to classify this as an "Android" problem is just plain wrong.
    • Android IS NOT a java framework.

      Android is a platform, not a framework. There are so many more parts to Android than just the java API. Yes, the applications are written in java but that doesn't mean you'll see it running on Windows CE or Symbian. You'd have to re-implement the custom Java VM (it's not your run-of-the-mill VM, it's called Dalvik if you want to look it up) on each of those additional platforms as well as any platform specific libraries that are used by Android.

      Saying Android is just a java framework is like saying the iPhone OS is just an Obj-C framework or Windows Mobile is just a .Net framework.

      I do agree with you that it's a problem with HTC's implementation of the underlying Linux-based OS on the phone but that's also part of what's known as Android.

      I just had to respond before people reading this article and the comments were lead in the wrong direction by your comment.

      I'd recommend taking a look at: http://code.google.com/android/what-is-android.html
      • Its ALL Android

        If you look at their stack diagrams Android is a custom Linux kernel with a Dalvik Java layer on top.

        Also I can't seem to get this to work even thought I have RC29.
      • my bad.

        I downloaded a very early version, and I don't think I saw that diagram. My impression at the time was that if you provided the basic ABIs/APIs, you could run it on anything.

        In fact, I'm pretty certain you could throw away the Linux kernel, and shim the rest of it onto something else, (WINE-like).

        From memory, the Apache2 licence would allow you to do that, although you might have to call it something else, like iRobot.

        I can't really see why anyone would bother now, though, as the iPhone style interface is available through versions of WindowsCE, Blackberry, G1 etc.

        Bottom line though is that Ed id right, worst bug ever.
      • IOW...

        In the Android platform, Jave runs under Linux. That is what I get from the recommended link.
  • RE: Worst. Bug. Ever.

    Wow thats scary. think I will stick with my IPhone 3G.

    • Please do...

      ...so I can laugh at you.
  • Message has been deleted.

    • Do *not* type "rm -rf /*"

      Unless you *want* to erase everything on your phone, including the OS.

      The command "rm -rf /*" is the classic example of something you basically never want to run on a UNIX system. However I expect that there are many android users who are not old UNIX hand and have never come across this wisdom.
    • Already reported. Just stupid.

      If anyone does this on your advice, your account should be deleted and banned. I can list you as many commands to completely corrupt any OS installed, and your sorry attempt at humor as said, was already reported when I wanted to report it. You might edit it yourself though.

  • G1 is linux based

    G1 is linux based: linux security sucks!
    • Are you sure about that?

      There is nothing wrong with the security of your Google (Android) Linux phone. This is a UNDOCUMENTED FEATURE that you PAID EXTRA for.
    • Oh really? Then why do the paypal servers run linux?

      Because if linux security sucks... then why do millions of people trust their money to it?
      • Wow... just wow...

        When your program is coded poorly, and is passing all user input as literal root level system commands, then your super-secure OS is irrelevant.