Locking devices down too hard, and other tales of broken phones

Submitted by brad on Tue, 2013-10-01 18:01
Topic: 
Privacy
Telecom

One day I noticed my nice 7 month old Nexus 4 had a think crack on the screen. Not sure where it came from, but my old Nexus One had had a similar crack and when it was on you barely saw it and the phone worked fine, so I wasn't scared -- until I saw that the crack stopped the digitizer from recognizing my finger in a band in the middle of the screen. A band which included dots from my "unlock" code.

And so, while the phone worked fine, you could not unlock it. That was bad news because with 4.3, the Android team had done a lot of work to make sure unlocked phones are secure if people randomly pick them up. As I'll explain in more detail, you really can't unlock it. And while it's locked, it won't respond to USB commands either. I had enabled debugging some time ago, but either that doesn't work unlocked or that state had been reset in a system update.

No unlocking meant no backing up the things that Google doesn't back up for you. It backs up a lot, these days, but there's still dozens of settings, lots of app data, logs of calls and texts, your app screen layout and much more that's lost.

I could repair the phone -- but when LG designed this phone they merged the digitizer and screen, so the repair is $180, and the parts take weeks to come in at most shops. Problem is, you can now buy a new Nexus 4 for just $199 (which is a truly great price for an unlocked phone) or the larger model I have for $249. Since the phone still has some uses, it makes much more sense to get a new one than to repair, other than to get that lost data. But more to the point, it's been 7 months and there are newer, hotter phones out there! So I eventually got a new phone.

But first I did restore functionality on the N4 by doing a factory wipe. That's possible without the screen, and the wiped phone has no lock code. It's actually possible to use quite a bit of the phone. Typing is a pain since a few letters on the right don't register but you can get them by rotating. You would not want to use this long term, but many apps are quite usable, such as maps and in particular eBook reading -- for cheap I have a nice small eBook reader. And you can make and receive calls. (Even on the locked phone I could receive a call somebody made to me -- it was the only thing it could do.) In addition, by connecting a bluetooth mouse and keyboard, I could use the phone fully -- this was essential for setting the phone up again, where the lack of that region on the touchpad would have made it impossible.

One of my security maxims is "Every security system ends up blocking legitimate users, often more than it blocks out the bad guys." I got bitten by that. There are a number of ways I could have been allowed into the phone that would still be secure. Here are some:

  • Some Android devices let you plug in a USB mouse using an OTG adapter. The N4 doesn't allow this, the N7 does. With a mouse, I could have traced the lock code and been set to go.
  • As an alternative, the best solution would probably be a way to do an emergency pairing of a Bluetooth mouse using just the volume and power keys or other external clues. For example if the phone is locked and you press a certain sequence of the external buttons, then pair with any mouse or keyboard you find nearby which is waiting to pair, and confirm with final press. Then, again you would be able to unlock and do all other things.
  • Failing that, since the device regularly checks with big-G for new apps you have requested on the web site, let me issue a command on the web site that tells my phone to unlock itself. I would probably need to provide my unlock code (as a series of digits) when doing this, though strictly, since on the web site I can download any app and give it any permissions, I'm not sure if a remote unlock is all that dangerous, security-wise.
  • Likewise, a computer connected by USB should be able to send a version of the lock code as digits, and get access. Since mostly what I wanted was a backup, the backup tool which work over USB could do this.
  • If I had put a suitable app into the phone while rooted, I probably could have done some of the above things. But I lost root with the 4.3.3 update and had not restored it.

In addition, it would be nice if my carrier (T-mobile) had been able to let me set up call forwarding from the web, without access to the phone. At first I switched to another phone and so forwarding would have helped -- though as noted the phone could still answer, but that's just luck. This would be a very handy feature for people who leave phones at home etc. -- does anybody offer it?

Now, it's easy for me to think of these alternate methods after the fact. The truth is, phone digitizers are cracking left and right -- I see it all the time. Repair stores must be doing well. But phones are going obsolete so fast that most people just want to upgrade if the repair is expensive. (It's not that expensive on devices where the digitizer is not glued to the screen and the screen is undamaged. There typical repairs are in the $50-$80 range and can be less if you do it yourself.) Problem is people are buying $600 phones with $400 subsidy for a contract, and the replacement is expensive. I may be talked into putting the phone into a case. That does goad me because I know how much work phone designers do to make their phones small, light and thin, and then the cases just take that away. It may be time for phone designers to put more shock protection right into the phone, even though that makes it bigger.

Share on:
  • Reddit logo
  • Facebook logo
  • Twitter logo
  • LinkedIn logo

Comments

Lunatic Esex

Wed, 2013-10-02 00:36

What's the marginal cost to the average manufacturer of making a phone more durable, or more easily/cheaply repairable, vs how many more they would sell with that as an added feature? They might even sell less, if the added durability makes a phone comparably larger/bulkier than its direct competitors. And of course they don't mind so much if you have to buy a whole brand new phone--at least as long as your new one is made by them as well.

Google doesn't seem to have much incentive to adding those features you mention to Android, as the ROI is probably considered fairly low. The carriers also probably don't have much incentive to add remote call forwarding from your mobile phone. It'd involve development, testing, deployment, more testing... There are security concerns that would have to be dealt with (you don't want someone else forwarding your calls away from your phone), and support hassles. They probably couldn't justify it for the small percentage of their customer base who'd want it and use it.

Don't worry too much, though: I imagine in the next 6-9 months there'll be plenty more phones coming out jumping on a bandwagon of using fingerprint sensors for unlocking, making cracked/damaged screens less of an issue. ;)

Whether those fingerprint sensors will be any GOOD (*cough* Motorola Atrix) and/or will be very durable or dependable remains to be seen.

brad

Wed, 2013-10-02 01:28

The economics of cell phone purchase are mucked up by the subsidies as well.

Still, looking around I see a lot of people with cracked phones. And I'm only seeing the ones that have cracks that didn't disable the digitizer. I think what it would take would be a lot more press about just how often people are damaging phones and paying high prices, and people would start asking for a more robust phone. I mean they already do, but they do it by buying a protective case. So as that demand grows, handset vendors should be able to say, "Look, our phone is more robust and still thin and light without you buying a case for it."

Lunatic Esex

Thu, 2013-10-10 16:40

As is the case with most things in technology, the average end user has a skewed sense of what is the vendor's fault and what is their fault. Many people will use some less-than-optimal software or hardware and think that their problems with it are because "computers are hard," or "it's more technical than I can deal with." This is why there are things like BestBuy's Geek Squad, not to mention the size of any corporate IT department and the major source of any friction that might exist between them and any employees in the rest of the company. Similarly they may blame vendors for things that out of the vendor's control.

On this scale of things I think that end users are less likely to raise significant complaints about the durability of their smartphone screens. Of course most people with cracked screens are going to at least make an attempt to get a free replacement, and many of them know full well that the screen was cracked due to their own actions or a simple accident. If it's outside of warranty coverage the reaction is less likely to be "Why didn't the manufacturer make this phone more durable? I'm going to raise a fuss about this!" and more likely "Damnit. (*grumble grumble expletive grumble*) Next time I'm going to (buy a different brand/buy a protective case/get extended warranty coverage/etc.)."

In other words, "It's your own fault, not the toymakers', when your toys break."

I do believe there are stories about Vertu comping out with a crazy-priced ($7000+) smartphone with a sapphire screen, though. Perhaps that would be durable enough for you. :)

Dave

Thu, 2013-10-03 07:08

http://blogs.computerworld.com/android/22860/android-remote-lock

You can use the Android Device Manager to remotely reset the password.

brad

Fri, 2013-10-04 21:29

This only works if you set it up in advance on the phone. Again, a reasonable security philosophy as you are giving anybody who gets at your browser the power to wipe your phone. (Personally I think a wipe should require a 2nd level auth, and maybe even a lock change.)

Nick

Fri, 2013-10-04 11:03

Loves this line: "Every security system ends up blocking legitimate users, often more than it blocks out the bad guys."

At least the security problem you faced was intended to protect you. Worse are the security systems which are intended to protect somebody else FROM you. This is exactly what is wrong with Digital Rights Management, including DVD Regionalization, Printer Cartridge Regionalization and so many other security systems.

The region systems piss me off particularly, since I have been caught by those over and over again. When I moved from the US to Amsterdam, I couldn't buy DVDs because my player couldn't play them.
When I moved back to the US I brought the printer I bought in the Netherlands. Now I can't buy toner for it.

In the first case, I simply stopped purchasing.

In the second I have hacked the system, as have many others by what I see online, but now that I have hacked it I can refill toner cartridges and will buy less toner.

In both cases the security system results in LESS money in the companies pocket from me and a pissed off consumer. Does this offset the pirating? I seriously doubt it.

Add new comment