Simple fix
Text message:
cat 0 > /proc/features/stupid/most
Google has issued a fix to the G1 handset, to stop it executing commands just because they appear in an entered text message - preventing punters from rebooting the handset just by typing the word "reboot". The bug can hardly be called a security problem, given it requires access to the handset, but the fact that until the fix …
Nor do I have anything constructive to say about this. However for some reason I find the whole situation extremely funny and have been chuckling about it for five minutes now. I can just see someone showing their new Android phone off to their friends, comparing it to their iPhone and Blackberry and having the phone randomly reboot or some other thing. Much hilarity and laughing at said Android owner would occur. Thank El Reg, now my co workers think I'm totally out to lunch.
that during my spell as a Hell desk engineer i quite often got text messages from users with problems who were traveling or were doing work on the weekend asking for some friendly out of hours support (as this was a best efforts deal only the CEO or CIO actually called unless it was life and death ) the rest mostly work mates would text me and hope i called or text back with an answer. this would often contain the words reboot and restart in typical help desk style.
thankfully those days are over and now i'm a systems engineer and my out of hours support is paid :-) but about 100 times harder :-(
(To the tune of Camptown Races)
rm -rf *
Doo dah, doo dah,
rm -rf *
Doo, doo dah day!
I wonder... does it just happen on texts you type yourself, or can received texts also trigger the command sequence? :)
Mind you, such a silly "bug" would certainly cause a few days of fun for wannabe BOFHs volunteering to offer "support" to Android (l)users :)
Paris, because. (Oh come on, I'm sure you can think of plenty of excuses for warranting her presence on this thread!)
What kind of on-the-road tech support would call for the instructing of someone to remove the entire root file system?
Seriously.
Malicious commands like this, yes. Such things were rare but depressingly not unheard of even in the mainframe days (telling a trainee Univac operator to type a shifted 41 on the production console was one quick way to get him fired, for example), but a legit instruction to destroy a computer that you would send by text message?
Who would action such a message without verbal confirmation and an official written request?
<sarcasm>
Erm Cant you guys see that its a feature, and not a bug, I have an N800, and I know How difficult it is to open the terminal. Now thats what I call usability. I mean dude, you can type the commands from anywhere!! Even the guys @ Cupertino were not smart enough to implement this on the Jesus Phone. Pity they patched it now though.
</sarcasm>
But seriously, If this was on WinMo, everyone would go on ranting on how Microsoft's code is the "suxorz"
Prima: "hey, i jst gt a G1, supr neat. opn src ftw, scrw ur ifone"
Secunda: "Yeah, did it reboot yet?"
Prima (some time later): "er, yeh"
Secunda: "What, your phone managed to reboot when you read a text message?"
Prima: "HEY, IT DID IT AGAIN!"
Secunda: [snigger, repeat until bored/patched]
Easy - they used a common interface to access underlying OS and text messages or maybe same UI with debug switch to disable OS access. The when release time came found it worked OK in debug but not release/ or pressure from boss to get out quick and 100 other things forgotten
of course you do need to assume they aren't the best coders/lack experience of this type of project - and all sorts of stupid things can happen
but look on the bright side - if all coders were good, it would be much harder for us that are to shine :-p
But it would be interesting to have a contest for it. I think the Register needs to be a bit more measured in their hyperbole. I like the style, but sometimes they go off the deep end.
Having said that, I'll admit that it was pretty egregious. The input buffer is executable by default? Weird.
Back to the original theme: They are even hyperbolic in their icons. I want to express disapproval, and the tombstone is sort of cute, but I'm not actually so steamed as to erase the bookmark.
...a major commercial radio group whose incoming text messaging system displayed incoming texts on a web page in the studio.
You guessed it already: it was possible to send html tages on which it would act, with hilarious consequences.. not least sending links to jpgs that would be displayed as inline images. Still it gave the DJs something to look at before playing another Coldplay record.
Paris F.O.R...
> Can anyone please explain how that bug might have been created?
> As a programmer, I am at a complete loss to understand how such an error would occur.
To me it seemed quite simple - it's a linux box so it boots up and starts running startup scripts in /bin/sh. Let's say that shell is attached to the 'tty' (or handset). Normally, that /bin/sh process either exits or transforms into init or something like that. Often, exiting that process reboots the machine because it's the main session (think single user mode, logout, reboot)
So, you've got /bin/sh running with the tty attached. You spawn the phone interface "/software/google/phone/runme &" popping it into the background and then you're left with the /bin/sh running.
Every key typed still hits the /bin/sh because it still has the tty. Easily fixed - "exec" the runme process (or equivalent), exit the startup script (assuming that won't reboot the machine), close STDIN, whatever.
Something like that is probably what happened. Background process which opened the tty, probably during boot that never let go.
Funniest thing I've seen in ages, though!
Why does Google need code that parses your text messages in this way (beyond lifting out numbers in cases they are telephone numbers)? What is it looking for? Is it speaking back to mother? Will you now get a "personal web experience" when your Android account gets paired up with your Google search/mail/apps account?
Google - they are the new evil.
In the early days of hacking (think just past 2600 phreaking) there were plenty of wannabees asking for hacking instructions and targets on IRC, and it was standard fare to tell them to target 127.0.0.1, grin.
Funny that, they always dropped out of the conversation afterwards :-)
Ah, those were the days..
As the title says, at least it's only when you compose a text message. Imagine the fun you could have if you could just send a text to an Android phone with the word "reboot" in it.
I suppose not the daftest bug ever created. It's along similar lines to SQL injection bugs found on web servers. It does beg the question why the Android is parsing what is effectively a text entry field.
Makes my iPhone seem bug-free...
As a programmer myself, I am at a loss to understand how this bug came to be. How in hell is their software structured?
So, you have a 'console' right, where you can type commands into the command line interpreter (CLI)?
The CLI parses your input against a known list of commands and executes the commands as it finds them.
Why would you ever (as the programmer) want to place the text of a received message through the CLI?
I can think of only one reason: It would give the network operator a facility to reconfigure your phone via SMS, like the 'network service' texts that one sometimes receives when roaming networks for example.
Damn. I think I've just answered my own question.
Oh dear. Nasty bug.
This would never have happened if the OS had been written in FORTH :-)
More information:
"It looks like there is a /system/bin/sh process running in the background with
/dev/console mapped to stdin. That has the effect that everything you type on your
keyboard is actually being executed as root in the background even though you don't
see the output."
http://code.google.com/p/connectbot/issues/detail?id=64
Which means everything you type is being executed, most of it returns "<command>: not found", but do not under any circumstances send a text message about anything computer related or it'll run with root privileges.
Ye Gods, give me Symbian or even Windows Mobile any day. Who in their right mind would use one of these shiny new devices from a latecomer like Google or Apple to access a network if they're going to get billed for it?
is this a bug? surely, in all seriousness, this is a feature. Why else would it execute commands from what should simply be a large-never-executed-block-of-text-to-be-sent-somewhere. Are you suggesting that the programmers *accidently* enabled command execution in a text box? Is that like when shoplifters *accidently* drop things into their pockets in shops ? :) "Sorry, Officer. These big pockets are a design flaw of the coat I'm wearing...and I'm clumsy"
I have just spoken with T-Mobile 'customer services' and while Google and T-Mobile US are sending updates out the UK division have confirmed that there are currently no updates to the phone beyond what it comes out of the box with (RC7).
But not to worry, apparently if we keep an eye on T-Mobile.co.uk over the coming months there should be some updates!
Coming months ey? Nice to know they are looking at the ability to push updates and then ignoring them completely...
For all those on about receiving texts with the word reboot in, that's not what happens.
Pretend you have a root console open. That's what the bug is.
Everything you type is run, so to get it to reboot, you need to type return-r-e-b-o-o-t-return. Without returns, it's just line noise.
However, it allows stuff like echo "#!/bin/bash\nreboot\n" > /etc/rc.d/rc.sysinit
This very loosely reminds me the time I used to use personalised auto-replace shortcuts in MS Word. I had a list of commonly-used-but-irritatingly-long work-related phrases for which I had a number of short phrase matches. All well and good until you belatedly realise that you've become reliant upon it, and now habitually type the word 'wanker' when really you wanted your boss's name...And you've just sent an e-mail to said wanker, using OWA, no less, which doesn't even have an auto-correct feature, let alone the same dictionary as the one on my work PC.
When Chrome first went public, if you typed in %evil into the command line it would crash the entire browser. One of my friends rigged up a page on hi site to see if this could be done just by visiting a page, and it could. So of course he did the responsible thing and put it on an "about Chrome" page in his site, which just displayed "goodbye"
If you typed reboot in the middle of a sentence, like this one, it wouldn't reboot. That's because the first word is "If", so it would try to run the "If" command, which isn't found.
Android only ships with a few Linux commands built-in, which explains why nobody noticed for a couple of weeks after the G1 came out. For example if you typed "make love not war" at the beginning of a line nothing untoward would happen because the make command was not shipped in the image.
The problem didn't occur on the emulator that everyone had been running for a year before the T-Mobile G1 came out. I'm not sure exactly why, but that's another reason it took a while to discover.
The fix should be pushed out to all handsets by now. I provide instructions to figure out if you have the fix in my blog (http://blogs.zdnet.com/Burnette/?p=680).
Seems that merely sending someone an SMS with the only text as "reboot" and the enter key (to send) doesn't work - neither in IM or my text-ed app.
However, from the "front screen", typing 'reboot' and then enter will at first try and match the letters to a contact in your address list, and on the enter press, actually reboots the device - fab!
I have no idea why I am so exited at getting a major flaw to work. At least I am safe in the knowledge that dropping the word randomly into my SMS messages or IM messages isn't going to result in sudden death. :)
It's not about messages that are received, it's about actual keys typed. There's a shell process still running in the background receiving the keystrokes. It was probably a very simple (in both the "easy" and "stupid" sense) mistake to make. No tricky programming, just forget that you left a shell running during startup or forget to disassociate it from /dev/console.
What???
Are you telling me that android handsets are out?
I hadn't noticed.
Seriously, i haven't had a single person show me one or talk about them.
Zero buzz.
Listening to the geek community, this was supposed to be more like the second coming of christ than the iPhone.
Great that the first thing I hear about them since launch is this hideously embarrassing bug.
Can't help but think that the Register nerd collective would have been much harder on this if either MS or Apple had been responsible.
Must be gutting for all the haters that their saviour from the iPhone succumbs to such a silly error.
Tester: The phones gone into a wait state and I have to remove the battery to start testing again.
Developer: I know I will let you enter commands from the keyboard.
Tester: But what if i'm in another app!
Developer: I will scan all input for valid commands.
Tester: Great.
Delvelop: I must remember to take that out when we go beta.