IF YOU PROTECT your Android phone with a password rather than an unlock pattern or PIN, you may want to keep it in your sight a little more carefully than usual. A new, dead-simple attack could allow anyone who gets their hands on it to bypass that password lock with no more skill than it takes to cut and paste a long string of characters.
How to Hack :
A security analyst at the University of Texas’s information security office in Austin has discovered that the widespread version 5 of Android is vulnerable to an easy lock-screen-bypass attack. The hack consists of basic steps like entering a long, arbitrary collection of characters into the phone’s Emergency Call dial pad and repeatedly pressing the camera shutter button. UT’s John Gordon, who outlines the full hack in this security notice and demonstrates it in the video below, says the trick offers full access to the apps and data on affected phones. And by using that access to enable developer mode, he says that an attacker could also connect to the phone via USB and install malicious software.
“My concern when I found this…was thinking about a malicious state actor or someone else with temporary access to your phone,” he says. “If, say, you give your phone to a TSA agent during extended screening, they could take something from it or plant something on it without you knowing.
Gordon says he stumbled on the lock screen vulnerability while messing with his phone during a long East Texas road trip. “I’m sitting in the passenger seat, bored, with no signal on my phone, so I start poking around and seeing what unexpected behavior I can cause,” he says. “A few idle hours of tapping every conceivable combination of elements on the screen can do wonders for finding bugs.”
How Severe is This? :
In some respects, this attack may be more of a curiosity than a critical threat. (Google itself labelled the problem as “moderate severity.”) After all, it does require physical access to the phone—rather than allowing a hacker to break into it remotely, like the text-message-based Stagefright exploit.
Even so, those with vulnerable devices should install any available security updates, consider switching from a passcode to a PIN or pattern unlock, and watch where you leave your phone. Now would be an especially bad time to forget it at the bar.