Google pushed out its first-ever monthly security update for Android in August, fixing the Stagefright vulnerability that an attacker could use to own your device with a malicious MMS message.
Nexus devices got their September security update last week, fixing another eight vulnerabilities, including one that could allow an attacker to bypass the lockscreen and access critical data on the device or install malicious apps.
To bypass the lockscreen an attacker has to have physical access to your device, and the device needs to be set to lock with a password (not a PIN or pattern).
The bug only affects devices running Android 5.x (before build LMY48M); Android 4.4 is also affected, but Google said the homescreen cannot be accessed on 4.4.
The exploit works by entering an extremely long string of characters into the password field while the camera is open, which causes the device to crash back to the home screen.
Bug finder John Gordon – a security researcher from the University of Texas at Austin – disclosed the vulnerability privately to Google, but now that a fix is out he’s published a blog and a video demonstrating the hack.
Gordon’s video shows the tedious but straightforward process: first he brings up the emergency dialer from the lockscreen and enters as many characters into it as possible; then he opens the camera app and taps Settings, which brings up the password field; then he copies and pastes the character string as many times as possible into the password field until the camera crashes and brings up the homescreen.
Sophos security expert Chester Wisniewski attempted to replicate the lockscreen bypass on a Nexus 4 running Android 5.1.1 LMY47V, but he was only partially successful.
Chet was able to use the hack to bypass the lockscreen, but the home screen was only partially rendered, without any icons.
I asked Chet a few questions about how the hack works, how severe a vulnerability it is, and whether we can expect to see more troubles with lockscreen bypass bugs on Android devices.
Here’s our exchange (I’m JZ and Chet is CW).
JZ: Google rated this lockscreen bypass as only a moderately severe bug. Do you agree?
CW: It is rather difficult and unintuitive to trigger, so I don’t consider it to be that major. It seems to rely on some rather specific circumstances, so I am not sure it would even work on non-Nexus devices. I suspect it depends how heavily the lockscreen software has been customized.
JZ: What goes wrong when all those characters are entered into the password field? And what does the camera have to do with it?
CW: It appears to be some sort of buffer overflow combined with a race condition. I think the camera app helps slow things down, increasing the CPU load, making it more likely you can crash things in just the right way for the phone to recover itself to an unlocked state.
JZ: Why would the camera be accessible from the lockscreen anyway? Does anyone need access to their camera without a password?
CW: I think camera access from the lockscreen is stupid and can lead to an unattended phone being filled up with dick pics. But, hey, I guess it is there so you can grab your phone and quickly start videoing just as the police are about to bring down the baton on your head.
JZ: [Laughs] Well said, Chet. But seriously, Google issued a fix for this bug on Nexus devices. What about people who have other Androids?
CW: Hopefully the vendors who are on-board with Google’s new monthly update process will push out fixes for this. However, with the lockscreen customizations that Samsung, LG and others have, it’s unclear whether or not they will be able to consume the fix, or even if they are vulnerable.
JZ: Do you think we’ll see more lockscreen bypass bugs like this one?
CW: Bugs of this sort are hard to find, but we’ve seen similar holes before on both iOS and Android devices. So I don’t imagine this will be the last one we’ll hear about.
Image of Google Nexus courtesy of Bloomua / Shutterstock.com.
5 comments on “Google fixes an Android Lollipop lockscreen bypass bug – how bad was it?”
Disclosure of this vulnerability, even after a fix is available, is irresponsible, given the sad history of carriers and of manufacturers of cookie-cutter tablets to withhold update support.
Sophos should be ashamed.
Strictly speaking, we didn’t disclose it. We reported on it so you can remain informed about it. Surely we would need to be more ashamed if we tried to pretend the hole wasn’t there, even though it’s been widely described elsewhere, together with an immensely dull 8′ video that shows you how to pull off the trick…as though everything were hunky-dory?
What we’re trying to do is to get you to think about the issues: [a] the latest Google patches fix this, so don’t delay if they are available [b] don’t leave your phone unattended if you can help it! [c] the “attack” takes ages, so it would be hard for someone to pull off quickly – you might even have time to use the “zap my phone” feature of your favourite security software (e.g. ours) [d] Google won’t let you remove the camera app from the lockscreen, despite complexity being the enemy of security, so email and tell them that this is a bad thing! [e] if your carrier has a “sad history,” time to find another carrier, or switch to iOS (where updates come out the same day for everyone).
If you are going to shoot the messenger, you are blaming the wrong people for the venality of the carriers and manufactures of cookie-cutter tablets. Indeed, if everyone keeps quiet about this, Google and the Android ecosystem will keep on getting away with their fragmented approach to security and people won’t be aware.
‘Coz one thing’s for sure. The crooks know about this hole!
Good article. Google has real suffering with Android fragmentation and distributing security patches. Things are getting worse, so I’s it soon safe to have an Android phone, because it takes so long time…if ever…to get an security patch???
Is there a way users can check to see if there phone is vulnerable to this?
Just got Marshmallow. Now the lock screen cannot be disabled. Last two releases have been insanely bad.