G2 doesn't have rootkit, it's just the same old NAND lock

|
Policy group New America has written a scathing blog entry that criticizes the HTC G2 for including a "hardware rootkit" that prevents users from installing custom firmware on the device. The report appears, however, to be based on a misunderstanding of technical issues raised in an XDA discussion thread. The G2 isn't unique in blocking third-party firmware, and it doesn't come with anything that could correctly be described as a rootkit.

In fact, the NAND write-blocking mechanism in the G2 is nearly identical to the one that HTC has included in the EVO 4G and other previous devices. Android modders say that it will eventually be cracked, just like every previous attempt by carriers and handset makers to impede third-party firmware modification. The issue of phone openness is worth exploring, but it's a lot broader and more nuanced than New America realizes.

 
Practically all carrier-subsidized Android handsets have some kind of mechanism in place to prevent users from installing custom third-party firmware. In order to circumvent these mechanisms, users have to obtain root access. The standard process for "rooting" an Android phone is to find a privilege escalation vulnerability (basically, a security hole) in the underlying Linux platform and exploit it in order to gain sufficient access to the device's filesystem and bootloader so that changes can be made.

Handset makers have developed increasingly sophisticated technical solutions to prevent the phone's platform-level software from being modified in the event that vulnerabilities are exploited. HTC has used a NAND write-blocking mechanism to protect against unauthorized changes on several handsets over the past year, including the HTC EVO 4G and a few others that also predate the G2. It's important to understand that the function of this lockdown is, ostensibly, to protect the user from malware like viruses and worms that might exploit platform vulnerabilities in order to modify the phone in a malicious way.

Technical investigations of the G2's behavior show that it has basically the same NAND write-block mechanism as the EVO, but is a bit more aggressive than the EVO about preventing permanent changes. HTC has indicated that the G2 will restore the original software when changes are made, but some evidence found by the modding community suggests that it doesn't actually work quite that way and might actually be a software defect. Regardless, the modding community is convinced that the G2 will eventually be fully hacked just like the EVO and various Android devices that have attempted to introduce more robust safeguards against tampering in the past.

Steve Kondik, who is known for launching the CyanogenMod third-party Android firmware project, described the blogosphere commentary about the G2 lockdown issue as "just plain wrong" in a post on Twitter. "Please stop saying 'G2 rootkit'. Its not a rootkit, just another attempt to slow us down," he explained. "The G2 root issue isn't any different than the last few phones [HTC has] released, it's the same thing as the NAND lock."

Licensing

New America's contention that the lockdown "undermines" the license is debatable philosophically, but untrue in a purely legal sense. The GPLv2, the license under which the Linux kernel is distributed, does not prohibit device vendors from using technical measures to block modifications of embedded Linux systems. In fact, the practice of blocking the installation of third-party firmware on Linux-based devices is extremely widespread.
The issue first broadly came into the awareness of the open source software community when the Free Software Foundation (FSF) expressed frustration with TiVo's use of code-signing to prevent the installation of non-standard firmware on their popular video recording devices.
"Like the GPLv2, the Apache license does not prohibit handset makers from blocking third-party firmware modification."
The FSF attempted to block that kind of lockdown by prohibiting it in the GPLv3, with a controversial addition that has come to be known as the anti-Tivoization section. The upstream Linux kernel development community emphatically rejected the anti-Tivoization conditions and has often cited it as one of the many reasons why the Linux kernel will not be relicensed from GPLv2 to GPLv3. Linus Torvalds addressed the question of code-signing in a post on the Linux kernel mailing list in 2003.

Google's Android environment and many key components of the platform's userspace stack—including Google's own libc implemention—are distributed under the highly-permissive Apache license, which even allows code to be used in closed-source applications. Google chose this license specifically so that commercial Android adopters like handset makers and mobile carriers would be able to create proprietary derivatives of Android that differentiate their products from those of their competitors.

Like the GPLv2, the Apache license does not prohibit handset makers from blocking third-party firmware modification. Although it's certainly true that preventing users from modifying the software on a device is antithetical to the philosophy held by the Free Software Foundation and many open source advocates (including myself), it does not directly conflict with the license.

Although I sympathize with concerns about how restrictions on the use of third-party firmware negatively impact user freedom, the specific complaints in the New America blog post are misdirected. Nobody should be complaining about the fact that a phone has a built-in mechanism to block unauthorized changes to the platform in the event that a phone's security is compromised. The real problem is the fact that users have to resort to exploiting privilege escalation vulnerabilities to get full access to their phone in the first place.
Framing it as a G2 issue or suggesting that its unprecedented simply because the G2 hasn't been cracked yet is illogical. I think it's great that consumer advocates and public policy groups like New America want to stand up for the consumer by addressing the problem of closed devices, but they need to start by understanding the real scope of the problem.

This is not an issue that is specific to the G2 or Android phones. It's obviously relevant across the entire spectrum of programmable devices in the consumer electronics ecosystem. One could argue that it even transcends software, because it parallels the problems posed by anti-tamper screw bits that hardware modding enthusiasts have complained about for years.

Carriers

The prevalence of carrier-subsidized handset distribution is likely one of the major reasons why lockdown mechanisms have become so pervasive on handsets in North America. It's definitely not the only reason, but it's a factor that I think deserves some scrutiny.

Carrier-subsidized phones have historically come with technical measures that prevent the phone from being used on other networks, but the carriers are increasingly adding other kinds of restrictions—including irremovable crapware and mechanisms to block third-party firmware—as smartphones become more sophisticated. When the consumer buys a handset on a carrier subsidy, they are accustomed to sacrificing some of their freedom in exchange for the up-front discount that they get from the carrier.

Many consumers who don't want to contend with such restrictions have the option of buying relatively open devices directly from handset manufacturers. For example, Nokia's N900 makes it easy to obtain root access (it's as easy as installing the "rootsh" package from the Maemo Extras repository) and flash non-standard firmware, thus obviating the need for users to exploit security bugs in order to get control of the device. Google's Nexus One and open developer phones are similarly unencumbered and allow third-party firmware.
Consumers, however, continue to vote with their wallets for crapware and lock-in by buying carrier-subsidized handsets. As Google discovered when it launched the Nexus One, the market for open phones is practically non-existent in the United States.

It's important to remember that T-Mobile (the first carrier to sell the G2) still fully allows open devices like the Nokia N900 and Google Nexus One to operate on their network, which means that the company is not preventing consumers from using devices that have replaceable firmware. There is no network neutrality issue in play here, it's simply a question of what capabilities the carriers choose to enable on devices that they sell at a discount.

New America clearly doesn't understand how all the pieces fit together and jumped the gun by targeting the G2 specifically, but I'm hopeful that they will put their enthusiasm to good use by taking a look at the smartphone ecosystem and pursuing policy strategies that can address the broader problem. For example, regulations that require the carriers to be more transparent about the restrictions they impose on the devices that they sell could possibly be a good step in the right direction.

As smartphones continue to evolve into general-purpose computing devices and start playing a bigger role in how people access the Internet, it may become important for consumers to start reclaiming the freedoms that they have conceded to the carriers.[source]

0 comments:

Post a Comment