Huge Vulnerability in Android Allows Lockscreen Bypass

A recently discovered vulnerability in Android Lollipop allows an attacker to bypass the password lockscreen on a mobile device and gain full access. The flaw was discovered by a security researcher at the University of Texas at Austin, who said he has already alerted Google about his findings.

The exploit requires an attacker to have physical access to the device but it will only work if the deviceEUs owner has secured it with a password. The attack wonEUt be successful if the user has secured the device with a pattern or pin configuration. The exploit gives the attacker complete access, even in cases where encryption has been enabled.

A Frighteningly Easy Attack

The vulnerability only exists in devices that run any version of Android 5.0 to 5.1.1 Lollipop. Although a patch for the flaw has already been published for Google Nexus devices, that still leaves a large number of phones vulnerable to attack. Even more troubling, the attack is relatively simple to execute, and doesn't require any specialized knowledge.

To bypass the password, all an attacker has to do is input a sufficiently long string of symbols into the password field while the camera app is running. Doing so causes the lockscreen to crash to the home screen, at which point the attacker has complete access to the device.

John Gordon, the security analyst at UTEUs information security office, first reported the flaw to Google in June, at which point the company managed to reproduce the bug and assigned it a low severity level.

Two weeks later, Google increased the bugEUs severity rating to moderate, but it wasnEUt until the middle of August that it released a patch for the flaw. The company released Android 5.1.1 build LMY48M on September 9 with the fix for the vulnerability, and made the issue public...

Comments are closed.