The Android Lock Screen Password Can Be Overridden

Your Android’s lock screen can be overridden with a very long password.

Texas University researchers have discovered that if you use a password to lock your Android phone running Lollipop, anyone who picks it up can override your password by using the “Backup Password” function and keying in a string of random characters long enough to crash the password unlock mechanism.

When your lock screen crashes, whoever has your phone can get into your Android Lollipop phone, and into your data as well.

Or they can do whatever they please: Factory Reset your phone and reuse it as they like.

This security vulnerability affects all Android phones running Lollipop, which is estimated to be at 21% of the 1 Billion or so Android devices around the globe as of 2014.

According to Josh Gordon of Texas University, the hack can be enacted when the Android is in the hands of the would-be hacker. They also enumerate the process in their report:

Android 5.x Lockscreen Bypass (CVE-2015-3860): https://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/

To summarize, here are the steps to bypass your locked screen:

1. Open the emergency call window from your lock screen.

2. Add characters until the field is filled, around 10 characters.

3. Then, double-tap to highlight the field, and paste the characters you just copied.

4. Keep pasting, until double-tapping no longer works.

5. Go back to the lock screen and open up the camera, which is usually opened by swiping left.

6. Swipe down to open the notifications area, and go to Settings, where a password field will appear.

7. Long-press to paste the characters you pasted on to the Emergency Call/Dialer area, until the Lock Screen crashes.

8. The Camera and the Lock Screen will crash, and you will be able to get to your Home menu.

This may be useful for users who forgot their password, and need to get to their phone without doing a flash reset. But for those whose phones are in other people’s hands, this comes as a security vulnerability, indeed.

Take note that a Lollipop lock screen secured with a PIN or a pattern cannot be hacked in this manner.

Google has already rolled out a patch for their Nexus line of phones last 9/16/2015, and some models do not have this vulnerability, as some users report. However, if this report creeps you out, it may be a good idea to have your phone flashed to KitKat or Jellybean, or if you’ve always wanted to try a Cyanogen ROM, now is the perfect time to get it onto your Android, preferably one that’s NOT Lollipop.

Alternatively, you can wait for Android M to roll out on your device.