Samsung Galaxy security vulnerability unlocks homescreen

Filed Under: Featured, Privacy, Security threats, Vulnerability

If you're nimble enough, you can get past the Galaxy Note 2's lock screen.

And PIN. And password. And face unlock.

Terence Eden recently discovered the minor security vulnerability in Samsung's Note 2 smartphone-tablet hybrid.

galaxy note 2Much like the iPhone passcode hack from last week, this Galaxy glitch involves lightning-fast reflexes and a cancelled call to emergency services.

Given that the attack is of limited value, Eden provides full instructions on how to exploit it.

If you follow his instructions, which we hope you don't, given that this attack once again relies on placing bogus emergency calls, you can run apps and dial numbers on phones - even if they're locked with a pattern lock, PIN, password, or face unlock.

According to Eden - a mobile enthusiast who has written for Naked Security in the past - there's no way to protect your phone against being accessed in this manner, so it's perhaps wise to keep your gadget away from people with good reflexes.

This is a low-level threat, he writes, given that an attacker can only put through a call on a targeted Galaxy if it has a direct dial widget on the home screen.

It sounds like the threat of an attacker running a Galaxy's apps is low, as well, given that any launched apps immediately zip into the background, Eden says.

But if the app performs an action on launch, such as recording with the Galaxy microphone, switching on flash, playing music or interacting with a server, an attacker can use this exploit to trigger such actions.

Eden provided this list of options to secure against the attack:

  • Do not use direct dial widgets on your homescreen.
  • Remove any calendar or email widgets which may show sensitive information from your homescreens.
  • Ensure that any apps which you do have on your homescreens do not automatically cost you money or act maliciously when launched.
  • Use an app locker to prompt for a password when apps are launched.
  • Changing to a different launcher will not protect you.
  • Using a 3rd party lock screen will not protect you if it accesses the emergency dialer.

With regards to getting a response from Samsung, Eden hasn't had any luck.

Unfortunately, the company has restricted its bug bounty program to TVs.

Regardless of your opinion about whether paying for bugs helps improve your products' risk profile or encourages otherwise disinterested people to hack them, there's one thing you can say about bug bounty programs: at least you get a clear path to responsible disclosure.

But given that Samsung has recent experience with hacked TVs that allow intruders to watch you, change channels or plug in malware, perhaps it's not surprising that its eyes are, apparently, glued to the tube.

Phone burglar image from Shutterstock

, , , , ,

You might like

3 Responses to Samsung Galaxy security vulnerability unlocks homescreen

  1. Anet · 907 days ago

    Is this just the Galaxy note?

  2. phani · 907 days ago

    found this issue with Xolo 900 Android version 4.0.4
    but if we are very quick thn only...

  3. Kasey · 907 days ago

    Can someone suggest an application blocker (as mentioned in the article above) that prompts for a password when apps are launched?

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.