It's Bugs All the Way Down

Security Research by Dan Rosenberg

Plagiarism in the Android Rooting Scene

In the past few months that I’ve been involved in rooting/modding Android phones, one thing that has continually bothered me is a lack of understanding about who deserves credit in the development of a root exploit for an Android phone, which frequently leads to cases of plagiarism. In this post, I hope to give some background for those not involved in the technical side of rooting phones so they can better understand the process.

What is Rooting?

Increasingly, cell carriers (e.g. Verizon) and handset manufacturers (e.g. Motorola) have attempted to lock down their phones so that users do not have full control over their devices. Ostensibly, this is for “security reasons”, but in actuality, these decisions are made solely to protect carriers’ business models. For example, carriers have somehow convinced the general public that it’s reasonable to charge additional money for tethering (using a phone’s Internet connection through another device), despite the fact that tethering imposes virtually no additional cost to these carriers; this is akin to a laptop manufacturer charging you extra money if you want to use your laptop with an external monitor. But that’s a rant for another time.

“Rooting” simply amounts to gaining administrative privileges on your device. Free tethering (where “free” means “I already pay for my data plan”) is one of the things that is possible if you root. Of course, other things are also possible if you gain root access, ranging from custom themes and skins to complete operating system overhauls, and in many cases these custom themes and ROMs are what the modding community is most interested in. Other benefits include the ability to remove the bloatware that comes automatically installed on many phones (and can’t be removed otherwise).

How is This Related to Bootloaders?

One of the ways handset manufacturers have begun preventing phone owners from fully controlling their devices is by “locking” the bootloader on the phone. When the phone is turned on, every stage of the boot process, up until when the operating system kernel is loaded into memory, is cryptographically signed and verified, so that it’s impossible to cause the device to run a custom operating system. If you try to flash a custom kernel to the device that isn’t signed with the handset manufacturer’s key, it will fail to boot.

On a phone with an unlocked bootloader, rooting is easy: you can simply flash a custom ROM to the phone that is deliberately designed to give the owner root privileges. On phones with locked bootloaders, this option is not available, so people interested in rooting a phone must identify a known or unknown vulnerability in the Android operating system in order to escalate their privileges from a normal user to root.

What Does that One-Click Root Script Actually Do?

When you download and run a “one-click root script”, two things happen:

1. The script exploits some vulnerability in the Android operating system to gain root privileges on the device.

2. Using these newly gained root privileges, the script installs a few applications that will allow the user to retain these root privileges once the device is rebooted (namely, the “su” binary and the “Superuser” application).

The second step has been done dozens of times, and requires literally five lines of scripting code that could be written by any of thousands (maybe millions) of amateur programmers. The first part, on the other hand, can require serious effort. Depending on the exploit, it may just require some specialized knowledge or cleverness (as was the case with the Droid 3 exploit), or it may involve a much more substantial development effort (as was the case with Revolutionary’s excellent ZergRush exploit).

Plagiarized Exploits

Unfortunately, the Android rooting community consistently fails to understand the real division of labor involved. As a result, it’s common for some aspiring Android hacker to come along, take someone else’s exploit (which likely took a significant amount of skill, experience, and time to develop), slap on the few lines of script necessary to automate the process, and proudly claim “I’ve rooted a phone!”.

In reality, no, he didn’t root the phone. The person who wrote the exploit rooted the phone, this guy just spent five minutes packaging it up for mass consumption. This is like someone who manufactures pill bottles taking credit for curing a disease. Sure, it’s an important part of the process, but it’s not a part that requires any ingenuity or specialized knowledge.

I’ve seen this happen dozens of times, without giving any credit whatsoever to the actual author of the exploit, including the recent publication of a root for the Motorola Droid Razr without even a mention of the authors of the actual exploit. As another example, vulnerabilities discovered and exploited by Sebastian Krahmer and Tavis Ormandy have resulted in a huge number of phones being rooted, but it’s common to see their names omitted when a root package is published. This amounts to outright plagiarism.

What Can I Do About This?

Be informed. If you’re rooting your phone, try to learn a little bit about the effort that went into making it happen. It’s entirely possible the exploit being used was developed by some security researcher who doesn’t even know his work has been “borrowed” without credit. Unfortunately, some people are happy to soak up the limelight (and sometimes accept monetary donations) regardless of whether they actually did the work or not. If you observe a case where someone has published a root script or package and has not properly credited the author of the exploit, speak up, and make it clear that using other people’s work without attribution is not acceptable. And if you’re an aspiring Android hacker looking to publish a root script that uses someone else’s exploit, make sure you give credit where credit is due.

Finally, if you’re a security researcher or exploit developer who releases exploit code to the public, I recommend any exploits you publish be accompanied by an appropriate license and copyright. Exploit code is not fundamentally different from other software, and as an author you deserve the right to control redistribution of your work.

This entry was posted on Friday, November 11th, 2011 at 1:51 pm and is filed under Android, Exploitation. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.