Kindle Fire and Nook Upgrades Kill Root Access

jfruhlinger writes "The Kindle Fire and Barnes and Noble Nook tablets are similar enough and close enough together in price that they ought to be fighting market share and one-upping each other in terms of features they offer users. But the latest OS upgrades to both gadgets claims to be an 'upgrade' while actually taking functionality away: both remove the ability to root the device." A more balanced way of looking at it is that the updates fix known local privilege escalation vulnerabilities. This might be more of an issue for people wanting to hack on the Nook Tablet: its bootloader is confirmed locked, but reports lean toward the Kindle Fire having an unlocked bootloader letting anyone flash their own software without needing to gain root first.

Good

[A12m0v]

Root access was a security risk. I'm glad Amazon fixed that.

Re:Good

[SJHillman]

Sort of like being able to open the hood on your car is a security risk.

Re:Neither advertise Android as a selling point

[tepples]

Anonymous Coward wrote, in a slightly more inflammatory wording:

Neither device [...] has access to the real android market.

Maybe you should [...] go buy a real Android tablet...

Which affordable, certified "real Android tablet" in the 7 to 8 inch range do you recommend instead of a Kindle Fire or Nook Tablet? Or are Kindle Fire and Nook Tablet like game consoles, sold at razor-thin margins or even at a loss to get people onto the manufacturer's store, and that's why they're so much cheaper than Google-certified devices?

Re:Good

[Anonymous Coward]

Yeah, seriously. When you have a security flaw that allows root privilege escalation you don't just decide not to fix that because the homebrewer's were using it as a convenient way to get access to the machine. If this was on an (open) desktop platform, such a flaw wouldn't really be tolerated for long.

It's like when people are upset that an exploit in a game was fixed that people were using to win / get free stuf / etc, yet they don't get upset when a bug is fixed that was actually preventing them from completing a game.

Re:Good

[tepples]

Then let's roll with the analogy: why don't more Android devices have a legitimate hood release of sorts?

Follow the money

[MonsterTrimble]

First off, is anyone surprised? As a business, I'm making sure:
1) That people don't try to return the product when they screw it up doing something that the product wasn't intended to do (and it costs me money)
2) That I eliminate a potential attack vector for malware which would lead to decreased sales and increased returns (which costs me money)
3) That people are locked into using my products (which makes me money)

This is all about the money people. This isn't about trying to screw over the 0.1% of people who buy the tablet - It's about maximizing the profits. And let's be realistic here - they will be recracked in short order.

Re:Good

[betterunixthanunix]

If this was on an (open) desktop platform, such a flaw wouldn't really be tolerated for long.

Which is why the user should simply be given root access to begin with. Instead of having to use privilege escalation attacks, users should just be able to hit a button or flip a switch to enable root access for themselves. Quick, easy, and perhaps voiding the warranty (but I think anyone who wants root access is willing to have no warranty).

Why is this so hard?

Re:Follow the money

[betterunixthanunix]

That people don't try to return the product when they screw it up doing something that the product wasn't intended to do

It is a computer, not a hammer. Since when do we declare that a computer is "not intended" to do something in software? If people were complaining that their Nook could not solve the Post correspondence problem, you would have a point.

Re:Follow the money

[tepples]

That people don't try to return the product when they screw it up doing something that the product wasn't intended to do (and it costs me money)

The proper way to fix this isn't to block all rooting but to provide a working recovery means to reset the operating system to factory state, restore applications from the market, and restore the user's data from automatic backup. Then figure out a way to segregate the user's data so that it doesn't have to be restored as often; the "/sdcard" partition in some Android devices has worked well for this.

That I eliminate a potential attack vector for malware

You can't neutralize malware without first defining malware. This involves enumerating the possible bad things that malicious software can do. Does this list of bad things [laptop.org] miss anything?

Re:Good

[mlts]

Bingo. One can just look at the Nexus line of devices and the "fastboot oem unlock" command and the warning given as the right way to go about doing this. This is enough of a hurdle to keep Joe Sixpack from doing it so he can see the dancing bunnies, but allows people who are willing to trash their device (and not bother calling hardware support) to do what they feel free to.

Re:Good

[Andy Dodd]

Actually, a privilege escalation exploit IS a security risk.

The unlocked bootloader means that on the Fire, this is at most a small speedbump in the process of modifying a device. However this prevents malware from gaining privilege escalation. (Most of the easiest Android rooting techniques like psneuter and rageagainstthecage relied on exploits that could and WERE also used by malware such as Droid Dream.)

Re:Good

[nedlohs]

That's the point.

That isn't what was removed. What was removed was a security flaw that let a non-root app running on the device get root priveledges.

Re:Happy Holidays from the Golden Girls!

[Anonymous Coward]

This is one of the best trolls I've seen a while. People fall for it every damn time!

Re:Good

[Moryath]

And yet if the car companies removed your hood release and required a special key or tool only available at the dealerships, you'd be screaming bloody murder and so would the mechanic's unions with good reason - in fact, several times there were class action lawsuits against GM, Ford, and Toyota due to their refusal to sell the appropriate adapters and codebooks necessary to troubleshoot or reset "check engine lights" and computer warnings to the 3rd-party mechanic shops.

Imagine if the car companies wanted to take away your RIGHT to have your car fitted out with a turbocharger, or an aftermarket performance chip [servicemix.org], or a better flywheel [americanmuscle.com], or any number of other changes.

Now why is it that people don't scream bloody murder when they have a computing device in their hand, personal property they purchase, and they're told "but you don't have admin rights to change anything so there"???

Re: Car Analogy

[sunderland56]

Much better car analogy: some car manufacturer comes out with a model where, if you hit the driver's door with your hand in the right place, the door unlocks. Lots of people buy the car and enjoy it, since you don't need to carry the keys around with you. Then the car manufacturer fixes the fault, and many people cry foul. Everyone misses the point that it is a generally bad idea to allow criminals to trivially get in to your car, and that locks are a *good* thing.

Re:Good

[Anonymous Coward]

Um, check ur math dude, we're not doing factorials here. With 12 notes available on the chromatic scale used to produce your 7 note riffs it would appear your "5000 original works" figure is way off.

Wrong way:
7 * 6 * 5 * 4 * 3 * 2 * 1 = 5040

Correct way:
12 * 12 * 12 * 12 * 12 * 12 * 12 = 35,831,808

(And that's ignoring keys! Was that 3rd note a D# or an Eb?? :)

Re:Good

[bws111]

This is a pretty pathetic analogy, and yet dopes still mark it insightful. Amazing.

A car has a hood release for a very simple reason: the manufacturer REQUIRES you to perform regular checks and services under the hood. There are plenty of places in a car where the manufacturer does NOT make it easy to get to (under the dash, for instance), because in normal use (as intended by the manufacturer) there is simply no need to do that. There are other things in a car which require destruction of parts of the car to get to (some body panels, for instance).

As for adding a turbocharger, etc. I looked under the hood of my car, and I did not see some spot marked 'plug-in turbocharger here'. In fact, I don't even see enough room under there to install a turbocharger. However, I assume by your 'right' comment that you mean the manufacturer does not prevent you from installing a turbocharger.

Fair enough. However, I see no statement from the manufacturer that installing a turbocharger is supported in any way. If you install a turbocharger, it is pretty unreasonable to expect that the ECM is going to be able to handle that. It is unreasonable to expect the rest of the engine components and drivetrain to be capable of handling the extra horsepower. It is unreasonable to expect that replacement parts from the manufacturer are still going to fit. It is unreasonable to expect that the fuel economy and emissions characteristics are the same. It is unreasonable to expect the handling and braking characteristics the be able to handle the faster speeds.

And here is the big difference between your car modification and your supposed general computing device modification. When you modify your car, you no longer expect to have what the manufacturer sold you. Sure, the hardware is still yours, but the reliability, performance, etc has been changed, perhaps drastically. But, for some reason, you expect to be able to modify an eReader into a general computing device, but still have it function as the manufacturer intended.

You have just as much RIGHT to modify your Kindle as your car. You can pull any chips and replace them with other ones. You can remove their software and install your own. However, you have absolutely NO right to insist that the Kindle retain it's original function, or that the manufacturer is in any way responsible for making the device capable of doing what you want.