If you protect your Android phone with a password rather than an unlock pattern or PIN, you may want to keep it in your sight a little more carefully than usual. A new, dead-simple attack could allow anyone who gets their hands on it to bypass that password lock with no more skill than it takes to cut and paste a long string of characters.
A security analyst at the University of Texas’s information security office in Austin has discovered that the widespread version 5 of Android is vulnerable to an easy lock-screen-bypass attack. The hack consists of basic steps like entering a long, arbitrary collection of characters into the phone’s Emergency Call dial pad and repeatedly pressing the camera shutter button. UT’s John Gordon, who outlines the full hack in this security notice and demonstrates it in the video below, says the trick offers full access to the apps and data on affected phones. And by using that access to enable developer mode, he says that an attacker could also connect to the phone via USB and install malicious software.
“My concern when I found this … was thinking about a malicious state actor or someone else with temporary access to your phone,” he says. “If, say, you give your phone to a TSA agent during extended screening, they could take something from it or plant something on it without you knowing."
Gordon says he stumbled on the lock screen vulnerability while messing with his phone during a long East Texas road trip. “I’m sitting in the passenger seat, bored, with no signal on my phone, so I start poking around and seeing what unexpected behavior I can cause,” he says. “A few idle hours of tapping every conceivable combination of elements on the screen can do wonders for finding bugs.”
Gordon tested the attack only on Nexus devices, but he believes it likely works on other Android devices that use version 5 of the operating system. He reported the issue to Google in late June, and Google issued a patch for the problem last month. But given Android’s problem of depending on carriers to push out patches to devices, Gordon believes that most of the affected phones remain vulnerable for now. Google hasn’t yet responded to Wired's request for comment.
The issue is limited to phones that use a password rather than a PIN or pattern. That’s a small fraction of the millions of potentially vulnerable devices. But, perversely, it may affect the most security-sensitive Android owners most, since a long password generally offers tighter security than Android’s other log-in options.
In some respects, this attack may be more of a curiosity than a critical threat. (Google itself labelled the problem as “moderate severity.”) After all, it does require physical access to the phone—rather than allowing a hacker to break into it remotely, like the text-message-based Stagefright exploit.
Even so, those with vulnerable devices should install any available security updates, consider switching from a passcode to a PIN or pattern unlock, and watch where you leave your phone. Now would be an especially bad time to forget it at the bar.