Android 5.x lock screen lets attackers in with long passwords

Do you have an Android device running any 5.x version before the latest 5.1.1, build LMY48M? Is it protected by a password? If the answer is "yes," you should probably switch over to a PIN or a pattern lock instead. A vulnerability in Android's lock screen handler app will let anyone holding the device to waltz right in and gain full access, even with encrypted devices. Here's a demonstration:

The exploit is simple: all the attacker has to do is type a really long character string in the emergency dialer app, which is then repeatedly pasted into the password entry field that comes up if one tries to get out of the lockscreen-invoked camera app. The lock screen will crash after some time, and the home screen will come up clean as a whistle. From that point, your phone is unlocked—anything and everything is up for grabs. If this exploit sounds familiar, it's because of a striking resemblance to the Xbox Live password snafu from last year. It's definitely not a good year for Android.

The lock screen flaw was discovered by researchers from the University of Texas Information Security Office, who reported their findings to Google back in June. Since then, Google added a patch to the Android Open Source Project codebase, and version 5.1.1 build LMY48M was recently released to Nexus devices, which includes the fix. As usual, it's anyone's guess when the fix will arrive at devices made by other OEMs and/or distributed by telecom carriers.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.