University of Texas discovers vulnerability in Android Lollipop lockscreen

Spread the love

A researcher at the University of Texas at Austin has discovered a method to bypass a password-protected Android lockscreen. The exploit takes advantage of a weakness in the camera app and is in Android 5.0 and later.

The Android versions that the researcher reports as vulnerable are Android 5.0 to Android 5.1.1 build LMY48M. In that build, Google fixed the issue. The researcher demonstrates the bypass on a Nexus 4 running on Android 5.1.1 build LMY48I. It makes no difference to the bypass whether encryption is on or not. It is not clear whether the vulnerability also occurs in ROMs from other manufacturers. According to Google figures, 22% of Android devices are running version 5.0 or newer. 5.1% is running on version 5.1, but it is unclear how many of that 5.1% have already fixed the vulnerability. On September 9, Google released Android 5.1.1 build LMY48M. Android M, the sixth version, does not appear to be vulnerable.

The bypass only works when the smartphone has a password lock screen set, and when an attacker has physical access to the device. The researcher goes from the lock screen to the emergency call window, enters a number of asterisks there, copies them to the clipboard, pastes them behind the existing asterisks and repeats the process until the field is completely filled with the characters. Another character can also be used. After about 11 reps, the field is full.

Then he goes back to the lockscreen and opens the camera. From there, the notification drawer will open and press the cog to navigate to the settings. Here he is asked for the password. If an attacker continues to paste the characters he has on the clipboard in the password field here, the camera app should eventually crash in the background. When that happens, the user should be taken to the home screen and can access the settings after opening the app drawer. After that, he is free to turn on USB debugging, for example, and in this way to steal all the data and files of the owner, or to install a rogue app.

You might also like
Exit mobile version