A researcher at the University of Texas in Austin has discovered a method to circumvent an Android lock screen, which is protected with a password. The exploit takes advantage of a weakness in the camera app, and is applicable in mobile devices that are running Android Lollipop. By using the exploit, the researcher found out that you could go into any android smartphone running Android Lollipop, without typing in the password.
The researcher reports that the Android versions that are vulnerable to this exploit are Android 5.0 to Android 5.1.1 build LMY48M. In the last build, Google has solved the problem. The researcher demonstrates the bypass on a Nexus 4 that runs on Android 5.1.1 build LMY48I. For the bypass, it does not matter if the encryption option on the mobile device is turned on or not.
It is not clear whether the vulnerability also occurs in ROMs by other manufacturers. According to figures from Google, twenty two percent of Android devices runs on version 5.0 or newer. A little over five percent runs on version 5.1, but it is unclear how much of a percentage of those people have updated their OS, in order to patch the exploit. On September the ninth, Google released Android 5.1.1 build LMY48, which solves this exploit.
How does the bypass work?
According to the researcher at the University of Texas in Austin, the bypass only works if the smartphone has a lock screen password, and if the attacker has physical access to the mobile device itself. The researches starts at the lock screen of the device and goes to the emergency call screen, dials in a couple of asterisks, copies those asterisks to the clipboard and pastes it back after the already dialed in asterisks.
He keeps repeating this process until the dial field is completely filled with asterisks. The researcher states that you could also use another character, it does not have to be an asterisk. He also states that after an average of eleven times, the dial field should be full.
After filling up the dial field with asterisks, the researcher goes back to the lock screen and taps on the camera icon of the mobile device. Once he does that, the notification drawer opens, after which is able to tap on the gear icon to navigate to the settings of the mobile device. By doing so, the user should be prompted for the password.
If the attacker keeps copying all of the asterisks that he copied to the clipboard, the camera app should freeze and crash in the background. When that happens, the user will be brought to the home screen, and will be able to navigate to the settings of the mobile device, by opening the app drawer.
By having access to the settings, the attacker could enable USB debugging on the mobile device and steal all of the data by connecting the mobile device with a computer. He or she could also install a malicious app, and make it look like nothing is missing.
How is this exploit solved?
It seems like Google caught their attention to this exploit very quickly and looked into patching up the exploit. It is very nice to see that Google pays a lot of attention to their products, including Android, and tried to patch up the exploit, before it got out of hand. According to Google Source, the bug is fixed by implementing the following line of code; “android:maxLength=”500”” This is the only thing that has been added to fix the problem.
According to the description on Google Source, this line of code prevents insanely long passwords from crashing SystemUI. This means that there is now a limit on the number of characters that can be used for the password of the mobile device. The maximum amount of characters has been set to five hundred, which is still insanely long for a password. However, it does prevent the system from crashing, which also fixes this exploit.