November 7th, 2008
Worst. Bug. Ever.
It turns out the bug in Android I wrote about yesterday was worse than we thought. When the phone booted it started up a command shell as root and sent every keystroke you ever typed on the keyboard from then on to that shell. Thus every word you typed, in addition to going to the foreground application would be silently and invisibly interpreted as a command and executed with superuser privileges. Wow!
In the bug report (issue 1207) jdhorvat writes:
Funny story behind finding this:
I was in the middle of a text conversation with my girl when she asked why I hadn’t responded. I had just rebooted my phone and the first thing I typed was a response to her text which simply stated “Reboot” - which, to my surprise, rebooted my phone.
When I first read this I didn’t believe it. Then I read it again, and again, and finally tried it for myself. It’s true. Don’t believe me? Save anything you’re working on (this will reboot your phone!), open the keyboard tray on your G1, ignore anything you see on the screen, and type these 8 keystrokes: <return>-r-e-b-o-o-t-<return>. Poof, your phone will reboot. This only works on a real phone, not in the emulator, and only with firmware version 1.0 TC4-RC29 and earlier.
From the home screen select Menu > Settings > About phone, and look for the Build number (near the bottom). If you see this:
kila-user 1.0 TC4-RC29 115247 ota-rel-keys,release-keys
then you’re vulnerable. If you see anything later than RC29 then you already have the fix.
Because Android is open source, the problem was quickly tracked down by users to a couple lines in the system file init.rc. My guess is that this was accidentally left in during device debugging. Thankfully the fix is trivial; you can probably even make it yourself if you’re so inclined (just comment out the offending lines described in the reports above and reboot).
Here’s a workaround I just discovered: Open the keyboard and type these 5 keystrokes: <return>-c-a-t-<return>. That will cause the phantom shell to not listen to commands any more, at least until the next reboot.
A patch from Google should be on its way soon. Meanwhile, be careful what you type.
Ed Burnette has programmed everything from device drivers and compilers to video games and multi-user servers. He is currently writing enterprise software in a variety of languages including C, Ruby, Python, and Java. For disclosure of Ed's industry affiliations, click here.