Not Every Bug is Bad
Friday, 1. October 2004, 08:13:00
For once I've had a dream that isn't complete nonsense. What happened in it could as well have happened in reality.
Here is what I've seen. Some company X (there wasn't a specific name in the dream) had captured a huge share of the mobile phone market. Nearly every second phone in the country was their model Y. There was only one point that X lost to the competitors: others had platforms for user-downloadable applications (some had Java, others had Symbian) while X didn't have any such platform. X could release a new phone model, but most users were currently happy with Y, and few would buy a new phone just for the downloadable applications. However, X wanted to make money on downloadable applications. They'd considered free firmware upgrades in service centers, but this option wasn't good enough: service centers in a big country work slowly, and users would have to wait for weeks to have their firmware upgraded, so hardly many of them would use the service. (This is actually true. When my phone needed reflashing as a warranty repair, I got it back from service after a month.)
The solution that had finally been implemented was found by programmers, not marketers. One of them, having heard of the problem, made a suggestion as a joke, not actually hoping for it to be taken seriously. This programmer happened to work on the Y firmware source code, modifying it for use in the future model Z. While reading the code, he had found a bug in the code that handled incoming chained SMS messages. A specially crafted chained message could cause a buffer overflow with a theoretical opportunity for the attacker to execute arbitrary code. Nobody knew about the bug, and the chance for it to be triggered accidentally was one in a billion. The programmer's idea was to use the vulnerability to upgrade the firmware remotely.
And that was what they did. Of course, the users weren't notified of the vulnerability. Company X had simply offered all users to do a “remote software update for the mobile phone” for a symbolical fee of $1, promising that the update will add new features to the phone, including the ability to download applications. To perform the update, a user had to send an SMS to a special number (so that someone couldn't order a surprise upgrade for a neighbour). In reply, the server sent the user a chained SMS message exploiting the vulnerability. It consisted of several chunks and contained a bootstrap loader. The loader used GPRS to download the new firmware from the X server (the $1 was actually used to pay the cellular carrier for this GPRS traffic). After a checksum verification, the loader installed the firmware into the flash memory and restarted the phone. (To prevent incomplete reflashing because of weak battery, the loader told the user to connect the charger to the phone.) Besides the support for downloadable applications, the new firmware contained other improvements. One of them was a fix for the vulnerability so that nobody else could ever exploit it again; the other was the ability to download firmware images over GPRS and install them (after checksum verification, of course) — just in case.
По-русски: Не всякий баг вреден
Here is what I've seen. Some company X (there wasn't a specific name in the dream) had captured a huge share of the mobile phone market. Nearly every second phone in the country was their model Y. There was only one point that X lost to the competitors: others had platforms for user-downloadable applications (some had Java, others had Symbian) while X didn't have any such platform. X could release a new phone model, but most users were currently happy with Y, and few would buy a new phone just for the downloadable applications. However, X wanted to make money on downloadable applications. They'd considered free firmware upgrades in service centers, but this option wasn't good enough: service centers in a big country work slowly, and users would have to wait for weeks to have their firmware upgraded, so hardly many of them would use the service. (This is actually true. When my phone needed reflashing as a warranty repair, I got it back from service after a month.)
The solution that had finally been implemented was found by programmers, not marketers. One of them, having heard of the problem, made a suggestion as a joke, not actually hoping for it to be taken seriously. This programmer happened to work on the Y firmware source code, modifying it for use in the future model Z. While reading the code, he had found a bug in the code that handled incoming chained SMS messages. A specially crafted chained message could cause a buffer overflow with a theoretical opportunity for the attacker to execute arbitrary code. Nobody knew about the bug, and the chance for it to be triggered accidentally was one in a billion. The programmer's idea was to use the vulnerability to upgrade the firmware remotely.
And that was what they did. Of course, the users weren't notified of the vulnerability. Company X had simply offered all users to do a “remote software update for the mobile phone” for a symbolical fee of $1, promising that the update will add new features to the phone, including the ability to download applications. To perform the update, a user had to send an SMS to a special number (so that someone couldn't order a surprise upgrade for a neighbour). In reply, the server sent the user a chained SMS message exploiting the vulnerability. It consisted of several chunks and contained a bootstrap loader. The loader used GPRS to download the new firmware from the X server (the $1 was actually used to pay the cellular carrier for this GPRS traffic). After a checksum verification, the loader installed the firmware into the flash memory and restarted the phone. (To prevent incomplete reflashing because of weak battery, the loader told the user to connect the charger to the phone.) Besides the support for downloadable applications, the new firmware contained other improvements. One of them was a fix for the vulnerability so that nobody else could ever exploit it again; the other was the ability to download firmware images over GPRS and install them (after checksum verification, of course) — just in case.
По-русски: Не всякий баг вреден
WIDGETIZE