Dev Connection
Ed BurnetteWorst. Bug. Ever.
Summary
It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the [...]
Topics
Blogger Info
Ed Burnette
Biography
Ed Burnette
Ed Burnette has been hooked on computers ever since he laid eyes on a TRS-80 in the local Radio Shack. Since graduating from NC State University he has programmed everything from serial device drivers and debuggers to web servers. After a delightful break working on commercial video games, Ed reluctantly returned to business software. He currently develops OLAP servers and clients written in a mixture of C and Java.
In his copious spare time, Ed enjoys learning and writing about Open Source, Java, and Eclipse. He has written several articles and books on Eclipse, most recently the Eclipse IDE Pocket Guide from O'Reilly. He is an Eclipse committer, founding editor of EclipseZone.com, and former chief editor of the Eclipse Corner articles section at Eclipse.org.
It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!
In the bug report (issue 1207) jdhorvat writes:
Funny story behind finding this:
I was in the middle of a text conversation with my girl when she asked why I hadn’t responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated “Reboot” - which, to my surprise, rebooted my phone.
When I first read this I didn’t believe it. Then I read it again, and again, and finally tried it for myself. It’s true. Don’t believe me? Save anything you’re working on (this will reboot your phone!), open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: <return>-r-e-b-o-o-t-<return>. Poof, your phone will reboot. This only works on a real phone, not in the emulator, and only with firmware version 1.0 TC4-RC29 and earlier.
From the home screen select Menu > Settings > About phone, and look for the Build number (near the bottom). If you see this:
kila-user 1.0 TC4-RC29 115247 ota-rel-keys,release-keys (US)
kila_uk-user 1.0 TC5-RC7 112931 (UK)
then you’re vulnerable. If you see anything later than RC29 in the US or RC7 in the UK then you already have the fix.
Because Android is open source, the problem was quickly tracked down by users to a couple lines in the system file init.rc. My guess is that this was accidentally left in during device debugging. Thankfully the fix is trivial; you can probably even make it yourself if you’re so inclined (just comment out the offending lines described in the reports above and reboot).
Here’s a workaround I just discovered: Open the keyboard and type these 5 keystrokes: <return>-c-a-t-<return>. That will cause the phantom shell to not listen to commands any more, at least until the next reboot.
A patch from Google should be on its way soon. Meanwhile, be careful what you type.
Updated 10Nov2008: The patch installed itself on my G1 this weekend. I can verify that the bug has been fixed, so it’s safe to type “rm -r” in your instant messages again.
Ed Burnette has been hooked on computers ever since he laid eyes on a TRS-80 in the local Radio Shack. Ed enjoys learning and writing about Open Source, Java, and Eclipse.
Disclosure
Ed Burnette
Ed Burnette is a Principal Systems Developer at SAS. However the postings on this site are his own and do not represent the positions, strategies, or opinions of his employer.
Biography
Ed Burnette
Ed Burnette has been hooked on computers ever since he laid eyes on a TRS-80 in the local Radio Shack. Since graduating from NC State University he has programmed everything from serial device drivers and debuggers to web servers. After a delightful break working on commercial video games, Ed reluctantly returned to business software. He currently develops OLAP servers and clients written in a mixture of C and Java.
In his copious spare time, Ed enjoys learning and writing about Open Source, Java, and Eclipse. He has written several articles and books on Eclipse, most recently the Eclipse IDE Pocket Guide from O'Reilly. He is an Eclipse committer, founding editor of EclipseZone.com, and former chief editor of the Eclipse Corner articles section at Eclipse.org.
More from “Dev Connection”
Related Discussions on TechRepublic
Did you know you can take part in these discussions with your ZDNet membership?Talkback Most Recent of 43 Talkback(s)
-
sounds like....
Way back when... Bill was demo'ing a voice interface to windows when someone in the audience shouted out Format C colon....
ridingthewind11/07/2008 12:21 PM -
LMAO... nt
nt
T1Oracle11/07/2008 12:29 PM -
ZDNet Blogger
I had to look this one up
From 1998, http://www.orcopug.org/pdf/sept98.pdf :
"Origin of urban legend
Thanks for checking on the speech recognition
story. Although grounded in fact,
I?m afraid that tale has grown into something
of an urban legend. (I seem to recall that
Steve Bass of Pasadena had a lot to do with
enhancing and recirculating it.)
The straight scoop is a bit less
amusing, but was hilarious enough at
the time.
Several years back, one of the
speakers at a meeting of the
Sacramento PC Users Group was
demonstrating speech-recognition
software. Just as the live portion of
the demo was starting, a past-
President named Rick Hellewell
shouted out from the audience,
?Format C colon.? Nothing actually
happened, but the comment brought
down the house.
This has since become a running
joke, which someone feels obligated
to repeat (with ever-decreasing
hilarity) whenever a vendor demonstrates
a speech-recognition product,
most recently at our July meeting.
Thank you for giving me the opportunity
to set the record straight.
---Larry Clark, President
Sacramento PC Users Group"
I also found a reference to it here from 1993:
http://www.sacpcug.org/archives/20year/timeline-b.html
Ed Burnette11/07/2008 12:56 PM -
good story anyway
thanks for the reference. I didn't realize it was partially true...
ridingthewind11/07/2008 01:15 PM -
Steve Jobs at Oracle World ('98?)
While the above is apocryphal, I was present for a similar circumstance. Steve Jobs was keynoting at Oracle World, in the SanFran Hilton (i think it was '98) before he'd gone back to Apple. I think it was WebObjects or something. In any case, his PC, running Windows and Powerpoint, was having problems, and while there was the usual hemming and hawing and uncomfortable silence from the audience, after about 10 seconds someone way in the back said just loud enough to be heard, "Get a Mac".
No one could hear anyone for about a minute, from the laughter.
daboochmeister11/10/2008 12:36 PM -
ZDNet Moderator
Confirmed.
I've just confirmed this bug on my test model of the G1 (pressed [enter] R-E-B-O-O-T [enter] and it rebooted on the spot).
andrew.nusca11/07/2008 01:28 PM -
Android is a java framework it doesn't have an init.rc
The vulnerability clearly isn't in Android itself, it's in the operating system implementation (a custom linux distro?) on the G1 phone.
To classify it as an Android bug is a bit wide of the mark.
This is like saying that a Windows PC that boots a trojan on a CD has a vulnerability in Windows. Not so. The problem is in the CMOS settings allowing booting from CD.
Note: there are many phones in progress that will run Android. They could even run Windows CE or Symbian under the java framework. Therefore to classify this as an "Android" problem is just plain wrong.
stevey_d11/07/2008 02:07 PM -
Android IS NOT a java framework.
Android is a platform, not a framework. There are so many more parts to Android than just the java API. Yes, the applications are written in java but that doesn't mean you'll see it running on Windows CE or Symbian. You'd have to re-implement the custom Java VM (it's not your run-of-the-mill VM, it's called Dalvik if you want to look it up) on each of those additional platforms as well as any platform specific libraries that are used by Android.
Saying Android is just a java framework is like saying the iPhone OS is just an Obj-C framework or Windows Mobile is just a .Net framework.
I do agree with you that it's a problem with HTC's implementation of the underlying Linux-based OS on the phone but that's also part of what's known as Android.
I just had to respond before people reading this article and the comments were lead in the wrong direction by your comment.
I'd recommend taking a look at: http://code.google.com/android/what-is-android.html
aphistic(Edited: 11/07/2008 03:10 PM) -
Its ALL Android
If you look at their stack diagrams Android is a custom Linux kernel with a Dalvik Java layer on top.
Also I can't seem to get this to work even thought I have RC29.
storm14k11/08/2008 11:30 AM -
my bad.
I downloaded a very early version, and I don't think I saw that diagram. My impression at the time was that if you provided the basic ABIs/APIs, you could run it on anything.
In fact, I'm pretty certain you could throw away the Linux kernel, and shim the rest of it onto something else, (WINE-like).
From memory, the Apache2 licence would allow you to do that, although you might have to call it something else, like iRobot.
I can't really see why anyone would bother now, though, as the iPhone style interface is available through versions of WindowsCE, Blackberry, G1 etc.
Bottom line though is that Ed id right, worst bug ever.
stevey_d11/09/2008 11:41 AM -
IOW...
In the Android platform, Jave runs under Linux. That is what I get from the recommended link.
mejohnsn11/12/2008 12:23 PM -
RE: Worst. Bug. Ever.
Wow thats scary. think I will stick with my IPhone 3G.
Jess
www.anolite.echoz.com
jasonwheeler11/07/2008 06:32 PM -
Please do...
...so I can laugh at you.
storm14k11/08/2008 11:32 AM -
rkrenzis(Edited: 11/10/2008 04:58 AM) -
Do *not* type "rm -rf /*"
Unless you *want* to erase everything on your phone, including the OS.
The command "rm -rf /*" is the classic example of something you basically never want to run on a UNIX system. However I expect that there are many android users who are not old UNIX hand and have never come across this wisdom.
gmatht11/08/2008 11:21 PM
Talkback - Tell Us What You Think
Get it the way you want it
ZDNet Newsletters
Get the best of ZDNet delivered straight to your inbox
Blog Roll
- All About Microsoft
- The Apple Core
- Between the Lines
- BriefingsDirect
- Collaboration 2.0
- Dev Connection
- A Developer's View
- Digital Cameras & Camcorders
- Ed Bott's Microsoft Report
- Emerging Tech
- Enterprise Web 2.0
- Five Nines: The Next Gen Datacenter
- Forrester Research
- Googling Google
- GreenTech Pastures
- Hardware 2.0
- Home Theater
- iGeneration
- India IT
- Irregular Enterprise
- IT Project Failures
- Laptops & Desktops
- Lawgarithms
- Linux and Open Source
- Managing L'unix
- The Mobile Gadgeteer
- On Sustainability
- The Semantic Web
- Service Oriented
- Smartphones and Cell Phones
- Social Business
- Social CRM: The Conversation
- Software & Services Safari
- Software as Services
- Storage Bits
- Team Think
- Tech Broiler
- Tom Foremski: IMHO
- The ToyBox
- Virtually Speaking
- The Web Life
- ZDNet Education
- ZDNet Government
- ZDNet Healthcare
- Zero Day
Blog Archive
White Papers, Webcasts, & Resources
- The 10 Most Dangerous Risks to Microsoft SecuritySecurity is an important part of any IT infrastructure, but as technology ... (Global Knowledge) Download Now
- 10 Dying IT SkillsThere are some things in life, like good manners, which never go out of ... (Global Knowledge) Download Now
- Troubleshooting Slow Networks with WiresharkWireshark, the world's most popular open-source network analyzer, has ... (Global Knowledge) Download Now




