Sep 23, 2015 08:02 AM EDT
Your Android’s lock screen can be overridden with a very long password.
Texas University researchers have discovered that if you use a password to lock your Android phone running Lollipop, anyone who picks it up can override your password by using the “Backup Password” function and keying in a string of random characters long enough to crash the password unlock mechanism.
When your lock screen crashes, whoever has your phone can get into your Android Lollipop phone, and into your data as well.
Or they can do whatever they please: Factory Reset your phone and reuse it as they like.
This security vulnerability affects all Android phones running Lollipop, which is estimated to be at 21% of the 1 Billion or so Android devices around the globe as of 2014.
According to Josh Gordon of Texas University, the hack can be enacted when the Android is in the hands of the would-be hacker. They also enumerate the process in their report:
Android 5.x Lockscreen Bypass (CVE-2015-3860): http://sites.utexas.edu/iso/2015/09/15/android-5-lockscreen-bypass/
To summarize, here are the steps to bypass your locked screen:
1. Open the emergency call window from your lock screen.
2. Add characters until the field is filled, around 10 characters.
3. Then, double-tap to highlight the field, and paste the characters you just copied.
4. Keep pasting, until double-tapping no longer works.
5. Go back to the lock screen and open up the camera, which is usually opened by swiping left.
6. Swipe down to open the notifications area, and go to Settings, where a password field will appear.
7. Long-press to paste the characters you pasted on to the Emergency Call/Dialer area, until the Lock Screen crashes.
8. The Camera and the Lock Screen will crash, and you will be able to get to your Home menu.
This may be useful for users who forgot their password, and need to get to their phone without doing a flash reset. But for those whose phones are in other people’s hands, this comes as a security vulnerability, indeed.
Take note that a Lollipop lock screen secured with a PIN or a pattern cannot be hacked in this manner.
Google has already rolled out a patch for their Nexus line of phones last 9/16/2015, and some models do not have this vulnerability, as some users report. However, if this report creeps you out, it may be a good idea to have your phone flashed to KitKat or Jellybean, or if you’ve always wanted to try a Cyanogen ROM, now is the perfect time to get it onto your Android, preferably one that’s NOT Lollipop.
Alternatively, you can wait for Android M to roll out on your device.
2. Feb 13, 2020
Meet the New App That Could Change the Way You Drive
3. Jan 15, 2020
Tech Takes the Borrowing Experience to New Speeds
4. Dec 21, 2019
Who Should Be Using a PowerPoint Design Agency?
1. Nov 02, 2019
Color Theory Gets a Technology Makeover with Appy Pie's Color Wheel
2. Oct 10, 2019
Is Your Data Center Hurting Your Business?
3. Sep 20, 2019
5 Facts About Mobile App Development That Will Keep You Up At Night
4. Sep 09, 2019
Why Software is Key to Growing Your Cannabis Business