×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

T-Mobile G1 Rooted

CmdrTaco posted more than 5 years ago | from the that-didn't-take-long dept.

Cellphones 246

An anonymous reader writes "T-Mobile's G1 phone, the first commercially available Android based phone, has been rooted. The exploit is extremely simple to execute, just requiring you to run telnetd from a terminal on the phone, and then connecting to the phone via telnet."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

246 comments

Really? (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25642385)

First post?

Re:Really? (3, Funny)

Anonymous Coward | more than 5 years ago | (#25642409)

I claim this first root post for Spain!

Story? (0)

chill (34294) | more than 5 years ago | (#25642417)

Apparently, so has the server. Or was this story a trick to get us to stress test the new Apache on Android app?

BUT TEH GOOGEL BE TEH DUNT BE TEH EVEL!!!111!!!! (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#25643915)

But Teh Googel Be Teh Dunt Be Teh Evel!!1!!! Dey Stil Bettar Den Teh MiKKKr0$$$l0th, Who Is Teh Suxxor, LOLz!@!@121!!!

Teh Googel Baesd Dere Fone On Teh Lunix, Witch Iz Teh Bettar Den Teh Winbloze, LOLz!!11!1121!

An Dey Dunt Be Teh Evel, Which Make Dem Bettar.

Re:BUT TEH GOOGEL BE TEH DUNT BE TEH EVEL!!!111!!! (2, Funny)

Anonymous Coward | more than 5 years ago | (#25644727)

Where is the -1: WTF? mod?

Re:BUT TEH GOOGEL BE TEH DUNT BE TEH EVEL!!!111!!! (2, Funny)

Anonymous Coward | more than 5 years ago | (#25644835)

-1: Inbred

Rooted? (5, Funny)

earthcreed (1292180) | more than 5 years ago | (#25642461)

This just in, all machines that you have root access on rooted! If you have access to run telnetd you already have root.

Re:Rooted? (2, Informative)

Anonymous Coward | more than 5 years ago | (#25642531)

-- unless it's setuid, of course.

Re:Rooted? (1)

Sparr0 (451780) | more than 5 years ago | (#25642717)

*whoosh*
people other than the person running telnetd can gain root access to the device.

Re:Rooted? (5, Funny)

Deadplant (212273) | more than 5 years ago | (#25643227)

in related news, researchers have discovered that if you open a root console on any flavour of linux and stick the keyboard out a window anyone walking by will be able to gain root access to you machine.

Re:Rooted? (4, Informative)

Anonymous Coward | more than 5 years ago | (#25644199)

And it also works in the other way... you can put your already rooted equipment into any window, and anybody inside that house will be able to gain root access, and also call the
police

Re:Rooted? (0)

Anonymous Coward | more than 5 years ago | (#25644423)

Ah, so that's what they mean with ``world writable''.

Re:Rooted? (1, Funny)

Anonymous Coward | more than 5 years ago | (#25644477)

Not a problem. I live in a tower block....

Oh, damn you spiderman!

Re:Rooted? (4, Insightful)

deniable (76198) | more than 5 years ago | (#25643283)

Well, yeah. You did run telnet for them. Why else would you run it? Hasn't it been on the list of don't run services for years now?

The much better question is: why is there a telnetd on the phone in the first place?

Re:Rooted? (4, Insightful)

Sparr0 (451780) | more than 5 years ago | (#25644027)

Because telnetd has some tiny fraction of the system overhead of ssh daemons, even "tiny" ones.

Re:Rooted? (5, Funny)

cream wobbly (1102689) | more than 5 years ago | (#25644791)

"System overhead"? Oh please.

Do try to stay on topic: we're not talking about low-capability embedded devices, we're talking about a cellphone!

Re:Rooted? (3, Insightful)

deniable (76198) | more than 5 years ago | (#25643237)

More importantly, if you have physical access to the console, all bets are off.

News Flash

Houses are rootable. If you unlock your doors and hang out a 'rob me' sign, people can break in.

Re:Rooted? (3, Insightful)

Pope (17780) | more than 5 years ago | (#25643889)

If the door's unlocked, it's hardly "breaking in," is it?

Re:Rooted? (1)

kgkeys (239243) | more than 5 years ago | (#25644163)

If the door's unlocked, it's hardly "breaking in," is it?

Then it's entering. Of course I've always wondered why it's "Breaking AND Entering" instead of "Breaking or Entering" except of course if you DO indeed break, then you would ALSO enter, so I guess it should be "Breaking and/or Entering"

Re:Rooted? (4, Informative)

Smauler (915644) | more than 5 years ago | (#25644279)

Erm.... Breaking and entering is exactly what it says. Just entering is call trespassing, and just breaking is called criminal damage. Don't ask me how I know :).

Re:Rooted? (5, Informative)

paeanblack (191171) | more than 5 years ago | (#25644211)

If the door's unlocked, it's hardly "breaking in," is it?

Yes it is.

The "Breaking" part of "Breaking & Entering" refers to breaking the plane of entry, not physically damaging anything.

"Breaking" is not actually a separate action from "Entering". The reason they are used together is for clarity...one word derives from Old English, and the other word derives from French. Writing laws this way was useful when the Normans and Saxons were trying to cohabitate on the same island.

There are many legal terms constructed the same way:
Null and void
Cease and desist
Last Will and Testament
Aid and Abet
Goods and Chattels
Terms and Conditions
etc.

Re:Rooted? (4, Funny)

Koiu Lpoi (632570) | more than 5 years ago | (#25644057)

I would honestly bet that a house with a rob me sign would not be robbed. Most burglars would feel it's some kind of trick.

Re:Rooted? (4, Funny)

Anonymous Coward | more than 5 years ago | (#25644131)

That reminds me of the van owner that put up a sign saying 'No tools or valuables inside'

The next morning it had been broken into and the theives had left a note saying 'Just checking'

Re:Rooted? (4, Funny)

neowolf (173735) | more than 5 years ago | (#25643409)

Agreed. Non-story. This is just stupid.

Excuse me sir... I would like to hack into your phone. Could you please type this in for me...

Re:Rooted? (3, Insightful)

Olix (812847) | more than 5 years ago | (#25643833)

To be fair though, lots of people /are/ stupid enough to fall for this kind of thing... consider how well that "I love you" worm or whatever it was did a few years back.

With the right method, I'm sure you could con people into doing something silly with an Offical-sounding text message, and then exploit it.

Re:Rooted? (4, Funny)

lysergic.acid (845423) | more than 5 years ago | (#25644747)

i dunno. tech support operators have a hard enough time walking the average person through how to run ipconfig on their windows PCs. trying to get the average person to open a terminal in Linux to run anything would be like trying to walk a cow down a flight of stairs.

I haven't followed the whole Android business, but (5, Funny)

Loibisch (964797) | more than 5 years ago | (#25642499)

...wasn't this supposed to be an open platform anyway? I don't quite get it.

Re:I haven't followed the whole Android business, (1)

Sparr0 (451780) | more than 5 years ago | (#25642751)

What don't you get? Someone ran a network service on an open platform, the service was buggy, the device got exploited (in theory, anyways).

Re:I haven't followed the whole Android business, (1)

saintsfan (1171797) | more than 5 years ago | (#25643173)

i think the poster is asking- why is it necessary to use a work-around to gain root access on an open device you own

Re:I haven't followed the whole Android business, (4, Informative)

Sparr0 (451780) | more than 5 years ago | (#25643365)

Sorry, I fail for not RTFA. They are misusing "rooted", which confused me. "rooted" in the popular [geek] vernacular means that a remote non-admin user can gain root access, such as through a buffer overflow exploit. It has nothing to do with the practice of gaining root access on your own devices.

Re:I haven't followed the whole Android business, (1)

Colonel Korn (1258968) | more than 5 years ago | (#25643793)

Sorry, I fail for not RTFA. They are misusing "rooted", which confused me. "rooted" in the popular [geek] vernacular means that a remote non-admin user can gain root access, such as through a buffer overflow exploit. It has nothing to do with the practice of gaining root access on your own devices.

I think they're using it to imply that you're renting access to Google's OS instead of gaining ownership of it, so you're gaining root access against the owner's intent.

Trojan Apps (1)

grahamsz (150076) | more than 5 years ago | (#25643819)

This in theory means any trojan app that requests "internet access" can telnet in and root the device it runs on.

That's a sizable risk

Re:Trojan Apps (1)

lysergic.acid (845423) | more than 5 years ago | (#25644893)

if you have a trojan on your system then you're already rooted. being able to run telnetd is not a security problem.

if on the other hand telnetd started up on its own, or could be remotely triggered, then it'd be a serious security flaw.

Re:I haven't followed the whole Android business, (4, Insightful)

Yetihehe (971185) | more than 5 years ago | (#25643855)

Better get used to it. First was the "hacker" word, now "rooting".
What's next, "open"?

Re:I haven't followed the whole Android business, (3, Insightful)

Duradin (1261418) | more than 5 years ago | (#25644723)

Don't forget "bricked".

Bricked used to mean you took the piece of equipment out to the firing range for its final trouble "shooting".

Now it means you just press the reset button.

Re:I haven't followed the whole Android business, (0)

Anonymous Coward | more than 5 years ago | (#25642987)

It appears to be mostly open apparently they are following the Tivo model. This means that you won't be able to build a custom kernel that will run on the device because the public doesn't have access to the signing keys.

Re:I haven't followed the whole Android business, (1)

SirJorgelOfBorgel (897488) | more than 5 years ago | (#25643923)

Sure you will. I know people are working on it (guess I'm going to be guinea pig for this again). Most HTC Windows Mobile devices this has been done long ago (and usually takes only a couple of days after a new one comes out).

Not having the signing keys is usually not that much of an issue (just disable the key check).

Coral to the rescue (3, Interesting)

MightyYar (622222) | more than 5 years ago | (#25642533)

Coral Cache [nyud.net]

On a side note... a hyphenated domain name! How retro...

Re:Coral to the rescue (3, Funny)

Philosinfinity (726949) | more than 5 years ago | (#25642789)

It could be worse... I chose a domain name with a double hyphen... aleph--null.com Whenever a web form states that my email address is invalid, i realize my folly just a bit more.

Re:Coral to the rescue (3, Insightful)

Splab (574204) | more than 5 years ago | (#25643413)

I've never understood why so many web programmers insist on parsing E-mail addresses, very few are capable of doing it correctly. I usually use splab+someidentification@mydomain.tld - this way I can track where I submitted the address they got - but since programmers insists on parsing the E-mail address they almost always considers + to be invalid.

Just send the person a confirmation E-mail and bobs your uncle.

Re:Coral to the rescue (0)

cavtroop (859432) | more than 5 years ago | (#25643737)

Input validation is your friend. Without it, things like

''; DROP TABLE *

could be possible.

Re:Coral to the rescue (0)

Anonymous Coward | more than 5 years ago | (#25644031)

Unless you want your users to be able to execute SQL from a form, input validation is the wrong solution for the problem.

Re:Coral to the rescue (1)

juiceboxfan (990017) | more than 5 years ago | (#25644089)

Input validation is your friend. Without it, things like
''; DROP TABLE *
could be possible.

So, there is no way to keep an arbitrary string from being interpreted as a command?
Sounds like a problem with the app.
Blocking strings at the input level would leave little Bobby Tables [xkcd.com] with out an education.

Re:Coral to the rescue (1, Insightful)

Anonymous Coward | more than 5 years ago | (#25644465)

And that's why there are things called Prepared Statements, where you pass in the values as parameters rather than as part of the SQL string.

Anyone not using them should not be working with databases. Why reimplement your own quoting function, or use a platform-provided quoting function, when there is this sane method to do things!

However there is no need to verify email addresses are valid beyond asking for the use to verify their email address (far more reliable for catching mistypes that running a regex on a single field) in the form.

Re:Coral to the rescue (1)

ZERO1ZERO (948669) | more than 5 years ago | (#25643899)

T-mobile itself has a hyphenated domain name... : http://www.t-mobile.co.uk/ [t-mobile.co.uk] what's the deal about domain name hyphenation being considered retro?

Re:Coral to the rescue (1)

MightyYar (622222) | more than 5 years ago | (#25644881)

I didn't mean nuthin' by it, honest! :)

I think you come across far fewer hyphens these days... I think people are comfortable just stringing words together, and so that has emerged as the de-facto standard. myspace, youtube, facebook, etc. A quick look at the alexa top 100 shows only one hyphen in the whole bunch.

Bad Idea (4, Insightful)

TheAmit (1011767) | more than 5 years ago | (#25642653)

Waiting to see how many non-Linux types try this and get in trouble. Its not a good idea to change permissions on sh. All other apps you run on your phone and use sh are now running as root [:)] I would be very scared of this setup. Going to enjoy this

Re:Bad Idea (0)

Anonymous Coward | more than 5 years ago | (#25642855)

sudo fuck up my G1

Wait...so.... (3, Insightful)

kcbanner (929309) | more than 5 years ago | (#25642699)

The user...has to run telnetd...as root...how...how is this an exploit? Maybe its more complex than this but the site is currently 503ing for me.

Re:Wait...so.... (3, Informative)

MrMr (219533) | more than 5 years ago | (#25643005)

No it's not more complex. The curious bit is that telnetd appears to set uid=0 after login, which allows you to make a setuid root shell.

No, you don't have to run as root first. (4, Informative)

Animats (122034) | more than 5 years ago | (#25643477)

It's apparently weirder than that. Running "telnetd" as an ordinary user apparently allows remote logins as root. This happens even though the "telnetd" executable does not apparently come with permissions set-UID to root. If that's correct, there's a security hole somewhere else that's being used by accident here. Is "login" a set-UID program on Android phones?

(As a robotics guy, I hate the name "Android" being used for a telephone. It's the worst choice since "U.S. Robotics" which ended up as a modem company.)

Re:No, you don't have to run as root first. (1, Interesting)

Anonymous Coward | more than 5 years ago | (#25644349)

Actually, the only weird thing is that telnet can listen on port 23 (but removing the privileged-ports-for-root-only rule might make sense on a phone). Telnet often exec()'s /bin/login or similar, and if that file is setuid root...

Re:No, you don't have to run as root first. (3, Interesting)

SnowZero (92219) | more than 5 years ago | (#25644783)

Just about everyone in the robotics community calls them humanoid robots anyway. "Android" and "droid" are pretty much confined to sci-fi, and by the time we have real androids, I'm pretty sure this phone OS will be a thing of the past. Sure, Ishiguro's current work in this area is pretty interesting, but even those robots are only mistaken for humans from a distance, and they aren't mobile.

Explanation (1)

mpapet (761907) | more than 5 years ago | (#25643675)

Historically, other closed systems rely on running security/lockout things in some kind of root such that should the user elevate their privileges to root, they can screw around with the closed system.

I don't know enough about the platform in question to know if getting to root gives you the freedom to defy the carrier's wishes.

Even if getting root privileges opens the phone up in ways Google did not plan, what are the actual long-term benefits? I don't see any.

hmnn? (1)

Vexorian (959249) | more than 5 years ago | (#25642715)

I don't know much about android or phones or anything, how is this a exploit? I mean, it requires you to physically get to the phone and open a terminal...

Re:hmnn? (5, Funny)

antifoidulus (807088) | more than 5 years ago | (#25642771)

Well, its a problem if you are both security conscious AND stupid.... oh how I wish that was a much smaller intersection than it actually is....

Re:hmnn? (1)

H0p313ss (811249) | more than 5 years ago | (#25642905)

Well, its a problem if you are both security conscious AND stupid.... oh how I wish that was a much smaller intersection than it actually is....

Yes... but we're talking here about a level of stupidity that would preclude the incredibly small demographic that would be smart enough to start telnetd in the first place.

Re:hmnn? (1)

denis-The-menace (471988) | more than 5 years ago | (#25643095)

You obviously haven't met our security people.
They are quite qualified in the are of procedures.

I think I saw this somewhere:
"procedures are the last refuge of the incompetent."

Re:hmnn? (1)

deniable (76198) | more than 5 years ago | (#25643455)

Maybe, but I've worked in places that needed *more* bureaucracy. Then again, one of those was the place where we had to upgrade the comms because the construction workers were wasting too many chargeable hours downloading their daily porn. Just one written 'No porn in the workplace' document would have been nice.

Android Touch (0)

Anonymous Coward | more than 5 years ago | (#25642765)

Why cant they come out with a $100 android WITHOUT the phone capabilities? It would be a great and useful platform without having to switch your mobile provider.

Apple has the touch, why can't Google do the same?

Smartphone - phone = PDA (1)

tepples (727027) | more than 5 years ago | (#25643071)

Why cant they come out with a $100 android WITHOUT the phone capabilities? It would be a great and useful platform

A smartphone without the phone is called a PDA. And yes, there is a Linux PDA; you will just have to wait for the next preorder [openpandora.org] .

Re:Smartphone - phone = PDA (1)

omeomi (675045) | more than 5 years ago | (#25643257)

A smartphone without the phone is called a PDA

I don't know that many people would call an iPod Touch a PDA...I think the term PDA has more to do with its intended use rather than any actual physical capabilities.

iPod Touch = PDA (2, Funny)

SkimTony (245337) | more than 5 years ago | (#25643557)

That depends on your expansion of "PDA." Have you seen the Apple fanboys making out with their devices in public? I think that counts as PDA as well.

Re:Android Touch (1)

squiggleslash (241428) | more than 5 years ago | (#25643077)

You can install Android on the Nokia N800/N810, if you want. A phone-less G1 wouldn't be $100 BTW, as there'd be no reason for a phone company to subsidize it. An unsubsidized G1 is around the $400 mark, so you'd be looking at something closer to $300 for a phone-less G1.

Re:Android Touch (1)

mrsteveman1 (1010381) | more than 5 years ago | (#25643593)

Because the phone capabilities and the applications are all it has going for it right now, when it comes to things like video and music the G1 is nearly incompetent right now, and that seriously kneecaps its chances of competing with the ipod touch.

Yes and No (1)

grahamsz (150076) | more than 5 years ago | (#25643883)

I use the data capabilities far more than the phone capabilities.

The fact that it's only EDGE here until next week isn't really a big deal because i'm scarcely ever off wifi.

This is like saying... (4, Insightful)

NitroWolf (72977) | more than 5 years ago | (#25642777)

This is like saying something is "bricked" when it's just a bad firmware flash that can be fixed.

The phone isn't rooted. Rooted means someone gained root access through an exploit and/or installed a root kit. Running telnetd and then connecting as root is a normal method of logging in, no exploits required.

Or are they saying every UNIX system that has a method of remote access is rooted?

Re:This is like saying... (5, Funny)

Anonymous Coward | more than 5 years ago | (#25643093)

Well, I found an exploit to alter the root password on Unix systems. It's really simple. You just login or su to root, then run the command 'passwd'. Works every time.

Re:This is like saying... (0)

Anonymous Coward | more than 5 years ago | (#25643977)

Darn! Is not working for me... is asking for a password! Do you have a link to your step by step procedure? -- Some will argue that ignorance is bliss

Re:This is like saying... (4, Informative)

omeomi (675045) | more than 5 years ago | (#25643301)

The phone isn't rooted. Rooted means someone gained root access through an exploit and/or installed a root kit. Running telnetd and then connecting as root is a normal method of logging in, no exploits required.

Well, given that it's a device that isn't designed to be root-accessible by the user, this did require somebody to do something that the manufacturer didn't intend in order to gain root access.

Re:This is like saying... (1, Informative)

Anonymous Coward | more than 5 years ago | (#25643613)

part of the exploit is that that when *any* user logs in through telnet uid=0 is set. This allows any user to elevate to to root privileges because the users shell is set to the same uid as the telnet daemon(who is running as root)

Re:This is like saying... (1)

Zarf (5735) | more than 5 years ago | (#25643961)

This is like saying...

... if you can sudo to root then you have *rooted* the system!!!

... if you can drive a car then you have *rooted* the car!!!

... if you can turn a TV on and off then you have *rooted* the TV!!!

... if you can get people to reply to your stupid message on /. then you have *rooted* SLASHDOT!!! ... whee!!!

Re:This is like saying... (1)

Toll_Free (1295136) | more than 5 years ago | (#25644263)

So if I have sex with a woman, I've rooted her?

Come to think of it, rooting around in a woman sounds good.

(off to find a woman).

--Toll_Free

You missed something important... (1)

Viol8 (599362) | more than 5 years ago | (#25644509)

This telnetd didn't ask for a login or password - it just went straight to a root shell prompt.

Hmmmm (0)

Anonymous Coward | more than 5 years ago | (#25642797)

Are you sure that it isn't running Windows?

In other news... (1)

geekmux (1040042) | more than 5 years ago | (#25642893)

...a "hacker" was questioned today when it was discovered at the Genius Bar that he had set his own root password on his Macbook.

Give me a break. It was bound to happen.

They left Telnetd on it? (3, Insightful)

LWATCDR (28044) | more than 5 years ago | (#25643201)

What???
Telnetd is one of those things that should just be deleted from every system that it is on.
Just use SSH folks.

Re:They left Telnetd on it? (0)

Anonymous Coward | more than 5 years ago | (#25643637)

Why? Zee gemrmanz might hijack your 2m long cable?

Re:They left Telnetd on it? (1)

1stvamp (662375) | more than 5 years ago | (#25644137)

If you RTFA, ptelnetd is installed first by the user. This then somehow gains setuid privs without the setuid bit being set (as someone else commented, perhaps `login` does).

No it isn't (1)

Viol8 (599362) | more than 5 years ago | (#25644579)

I have a small LAN with 2 machines at home behind a hardware firewall thats generally not connected to the internet anyway. Why do I need to run sshd on them when telnetd does me fine?

Re:No it isn't (1)

LWATCDR (28044) | more than 5 years ago | (#25644741)

why not run sshd on them?
You can even do ssh tunneling and use scp. Plus if you ever put them on the internet you will not have to "remember" to take telnet off.

Exploit, Vulnerability, or "Working as Intended"? (1)

Laebshade (643478) | more than 5 years ago | (#25644353)

Calling it an exploit is a stretch; perhaps it's just a vulernability, or dare I say, "working as intended"? I doubt google left such an obvious "security" flaw by mistake.

Whole lot of stupid going on in these replies .. (4, Insightful)

Idimmu Xul (204345) | more than 5 years ago | (#25644365)

The point of this exploit isn't so you can remotely hack other people's phones, it's so mobile hackers can get to a lower level than Android permits users to do, which will allow them to flash the phone with unsigned custom updates and what not and customise their phone more.

People should really read the articles and smarten up.

Haha this was such a non-hack... (1)

SplasPood (22876) | more than 5 years ago | (#25644663)

When I found this I didn't even bother posting it to xda for a couple days thinking it was so obvious that it had to be intentional/known.

Guess other people were in fact interested!

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...