New Android lockscreen hack gives attackers full access to locked devices

Android logoSoftware bugs that allow attackers to bypass smartphone lockscreens are common enough for both Android and iOS devices, but like a fender bender on the highway, many of us can't resist the urge to gawk anyway. There's a newly disclosed way for someone who has a few uninterrupted moments with a handset running most versions of Android 5.x to gain complete control of the device and all the data stored on it.

The hack involves dumping an extremely long string into the password field after swiping open the camera from a locked phone. Unless updated in the past few days, devices running 5.0 to 5.1.1 will choke on the unwieldy number of characters and unlock, even though the password is incorrect. From there, the attacker can do anything with the phone the rightful owner can do.

The following video demonstrates the attack in action. The technique begins by adding a large number of characters to the emergency call window and then copying them to the Android clipboard. (Presumably, there are other ways besides the emergency number screen to buffer a sufficiently large number of characters.) The hacker then swipes open the camera from the locked phone, accesses the options menu, and pastes the characters into the resulting password prompt. Instead of returning an error message, vulnerable handsets unlock.

The vulnerability has been fixed in the "LMY48M" Android 5.1.1 build Google released last week for the Nexus 4, 5, 6, 7, 9, and 10. But as most people know, it can take months or years for updates to hit the masses, and some devices never receive security patches. Indeed, neither of the Nexus 5 phones this Ars reporter uses have received the over-the-air build update from last week.

Fortunately, the vulnerability was introduced in version 5, so the number of affected handsets is only a small fraction of the overall Android user base. Vulnerable users who can't get an update or don't want to wait for one to become available can switch to a PIN or pattern-based lockscreen, neither of which is susceptible to the hack. And while we're on this topic of Android lock patterns, readers may be interested in recently presented research showing that many of them are surprisingly predictable.

Source: Ars Technica

Tags: Android, OSes

Add comment

Your name:
Sign in with:
Your comment:

Enter code:

E-mail (not required)
E-mail will not be disclosed to the third party

Last news

Galaxy Note10 really is built around a 6.7-inch display
You may still be able to download your content
Facebook, Messenger and Instagram are all going away
Minimize apps to a floating, always-on-top bubble
Japan Display has been providing LCDs for the iPhone XR, the only LCD model in Apple’s 2018 line-up
The 2001 operating system has reached its lowest share level
The entire TSMC 5nm design infrastructure is available now from TSMC
The smartphone uses a Snapdragon 660 processor running Android 9 Pie
The Samsung Galaxy A5 (2017) Review
The evolution of the successful smartphone, now with a waterproof body and USB Type-C
February 7, 2017 / 2
Samsung Galaxy TabPro S - a tablet with the Windows-keyboard
The first Windows-tablet with the 12-inch display Super AMOLED
June 7, 2016 /
Keyboards for iOS
Ten iOS keyboards review
July 18, 2015 /
Samsung E1200 Mobile Phone Review
A cheap phone with a good screen
March 8, 2015 / 4
Creative Sound Blaster Z sound card review
Good sound for those who are not satisfied with the onboard solution
September 25, 2014 / 2
Samsung Galaxy Gear: Smartwatch at High Price
The first smartwatch from Samsung - almost a smartphone with a small body
December 19, 2013 /

News Archive



Do you use microSD card with your phone?
or leave your own version in comments (15)