Android's 5.x Lock Screen may be bypassed by attackers
Android devices may be protected by a lock screen which requires some form of authentication before access to most phone features, its settings and the data stored on it is granted.
Users may protect the phone by password, pin or pattern for example, and there are other means of protection available as well, for instance by using Bluetooth device authentication or unlocking it based on locations you are in.
If you have set a password on your Android device and you are running Android 5.x, your phone is vulnerable to a lockscreen bypass attack.
The attack itself is surprisingly easy to carry out:
- Open the Emergency Call screen on the phone.
- You need to enter a long number there with lots of chars. The researchers suggested to start with 10 asterisks and then doubling these characters using copy and paste until this is no longer possible (the field is not highlighted anymore).
- Go back to the homescreen afterwards and open the camera application on the device.
- Swipe down to display the notifications drawer and tap on settings. This opens a password prompt automatically.
- Paste the same characters that you used in the Emergency Dialer into the password field. Repeat this process until the UI crashes (the buttons at the bottom of the screen disappear and the camera is displayed fullscreen.
- The camera will crash eventually as well and the homescreen is displayed. The phone is unlocked and you have full access to all apps and data on it.
This attack works only if a password is used to protect the Android device. It won't work with pattern or pin locks. If you are using a password-based lock currently you may want to switch to pin or pattern-based instead for the meantime to protect your device from this attack.
The following video demonstrates the attack.
The Android developers have fixed the issue already but it takes time before the fix lands on affected devices.
Attackers need to have physical access to the device to carry out the attack. While that is a limitation, it is still recommended to not use password-based locks on Android 5.x devices until the vulnerability has been patched on affected devices.
I don’t think every Android device running Android 5.x is susceptible to this hack. I have tried replicating this hack on my Galaxy Note 3 running Android Lollipop 5.0, once the phone is locked you can not use the copy and paste functionality on the dialer or anywhere else
But you can still enter the characters manually then? May take longer but the pasting is probably just there to speed things up.
Just tried this on my G4 – same thing with the copy & paste. Also, the custom camera app doesn’t allow you to swipe down on the notifications drawer while the phone’s locked
Same here. Galaxy Note 4. No copying from Emergency call screen and no drop down from the camera app. The OP should have tested on many phones before claiming “Android” lockscreen hack. This is more a Nexus using Android lockscreen hack.
Maybe a simple workaround is not to have the camera displayed on the lockscreen ?
Running Android 5.0 & my lockscreen is empty except for the emergency dialer, date & time.
Does anyone know if this hack affects devices with fingerprint locks ?
Does 5.1.1 fix this problem? Is there anyone who has tested it?
the most recent patch fixed this
I have disabled shortcut to camera on my lock screen.Thanks to the custom ROM I’m running. Not sure if you can control this in the factory one. Personally, I believe the lock screen should not have too many functions except its main one – unlock feature. :)
I have tried replicating the steps but it doesn’t work for me.
1. You can’t copy and paste.
2. You can’t swipe down to the Notification panel when it is locked from the camera app.
3. I also tried entering the digits manually (tapped numbers in for over 15 minutes or the duration of 55 the weeknd songs) and it didn’t crash anything.
4. I think that the Samsung PIN lockscreen has a limit on the number of digits you can enter.
I can’t paste again after first copypaste into password request in camera