Android's 5.x Lock Screen may be bypassed by attackers

Martin Brinkmann
Sep 16, 2015
Updated • May 22, 2018
Google Android
|
10

Android devices may be protected by a lock screen which requires some form of authentication before access to most phone features, its settings and the data stored on it is granted.

Users may protect the phone by password, pin or pattern for example, and there are other means of protection available as well, for instance by using Bluetooth device authentication or unlocking it based on locations you are in.

If you have set a password on your Android device and you are running Android 5.x, your phone is vulnerable to a lockscreen bypass attack.

The attack itself is surprisingly easy to carry out:

  1. Open the Emergency Call screen on the phone.
  2. You need to enter a long number there with lots of chars. The researchers suggested to start with 10 asterisks and then doubling these characters using copy and paste until this is no longer possible (the field is not highlighted anymore).
  3. Go back to the homescreen afterwards and open the camera application on the device.
  4. Swipe down to display the notifications drawer and tap on  settings. This opens a password prompt automatically.
  5. Paste the same characters that you used in the Emergency Dialer into the password field. Repeat this process until the UI crashes (the buttons at the bottom of the screen disappear and the camera is displayed fullscreen.
  6. The camera will crash eventually as well and the homescreen is displayed. The phone is unlocked and you have full access to all apps and data on it.

android lock password bypass attack

This attack works only if a password is used to protect the Android device. It won't work with pattern or pin locks. If you are using a password-based lock currently you may want to switch to pin or pattern-based instead for the meantime to protect your device from this attack.

The following video demonstrates the attack.

The Android developers have fixed the issue already but it takes time before the fix lands on affected devices.

Attackers need to have physical access to the device to carry out the attack. While that is a limitation, it is still recommended to not use password-based locks on Android 5.x devices until the vulnerability has been patched on affected devices.

Summary
Android's 5.x Lock Screen may be bypassed by attackers
Article Name
Android's 5.x Lock Screen may be bypassed by attackers
Description
Android 5.x devices may be vulnerable to a lockscreen bypass attack if a password is used to protect the device from unauthorized access.
Author
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. asmod said on September 16, 2015 at 8:14 pm
    Reply

    I can’t paste again after first copypaste into password request in camera

  2. martinkem said on September 16, 2015 at 3:35 pm
    Reply

    I have tried replicating the steps but it doesn’t work for me.
    1. You can’t copy and paste.
    2. You can’t swipe down to the Notification panel when it is locked from the camera app.
    3. I also tried entering the digits manually (tapped numbers in for over 15 minutes or the duration of 55 the weeknd songs) and it didn’t crash anything.
    4. I think that the Samsung PIN lockscreen has a limit on the number of digits you can enter.

  3. Oggy said on September 16, 2015 at 3:22 pm
    Reply

    I have disabled shortcut to camera on my lock screen.Thanks to the custom ROM I’m running. Not sure if you can control this in the factory one. Personally, I believe the lock screen should not have too many functions except its main one – unlock feature. :)

  4. Maelish said on September 16, 2015 at 3:17 pm
    Reply

    Does 5.1.1 fix this problem? Is there anyone who has tested it?

    1. Andrew said on September 16, 2015 at 6:04 pm
      Reply

      the most recent patch fixed this

  5. Steven said on September 16, 2015 at 12:38 pm
    Reply

    Maybe a simple workaround is not to have the camera displayed on the lockscreen ?
    Running Android 5.0 & my lockscreen is empty except for the emergency dialer, date & time.

    Does anyone know if this hack affects devices with fingerprint locks ?

  6. martinkem said on September 16, 2015 at 12:21 pm
    Reply

    I don’t think every Android device running Android 5.x is susceptible to this hack. I have tried replicating this hack on my Galaxy Note 3 running Android Lollipop 5.0, once the phone is locked you can not use the copy and paste functionality on the dialer or anywhere else

    1. Martin Brinkmann said on September 16, 2015 at 12:38 pm
      Reply

      But you can still enter the characters manually then? May take longer but the pasting is probably just there to speed things up.

      1. Wh0 said on September 16, 2015 at 9:49 pm
        Reply

        Same here. Galaxy Note 4. No copying from Emergency call screen and no drop down from the camera app. The OP should have tested on many phones before claiming “Android” lockscreen hack. This is more a Nexus using Android lockscreen hack.

      2. Aaron said on September 16, 2015 at 2:51 pm
        Reply

        Just tried this on my G4 – same thing with the copy & paste. Also, the custom camera app doesn’t allow you to swipe down on the notifications drawer while the phone’s locked

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.