Google fixes an Android Lollipop lockscreen bypass bug – how bad was it?

Nexus lockscreen bugGoogle pushed out its first-ever monthly security update for Android in August, fixing the Stagefright vulnerability that an attacker could use to own your device with a malicious MMS message.

Nexus devices got their September security update last week, fixing another eight vulnerabilities, including one that could allow an attacker to bypass the lockscreen and access critical data on the device or install malicious apps.

To bypass the lockscreen an attacker has to have physical access to your device, and the device needs to be set to lock with a password (not a PIN or pattern).

The bug only affects devices running Android 5.x (before build LMY48M); Android 4.4 is also affected, but Google said the homescreen cannot be accessed on 4.4.

The exploit works by entering an extremely long string of characters into the password field while the camera is open, which causes the device to crash back to the home screen.

Bug finder John Gordon – a security researcher from the University of Texas at Austin – disclosed the vulnerability privately to Google, but now that a fix is out he’s published a blog and a video demonstrating the hack.

Gordon’s video shows the tedious but straightforward process: first he brings up the emergency dialer from the lockscreen and enters as many characters into it as possible; then he opens the camera app and taps Settings, which brings up the password field; then he copies and pastes the character string as many times as possible into the password field until the camera crashes and brings up the homescreen.

Sophos security expert Chester Wisniewski attempted to replicate the lockscreen bypass on a Nexus 4 running Android 5.1.1 LMY47V, but he was only partially successful.

Chet was able to use the hack to bypass the lockscreen, but the home screen was only partially rendered, without any icons.

I asked Chet a few questions about how the hack works, how severe a vulnerability it is, and whether we can expect to see more troubles with lockscreen bypass bugs on Android devices.

Here’s our exchange (I’m JZ and Chet is CW).

JZ: Google rated this lockscreen bypass as only a moderately severe bug. Do you agree?

CW: It is rather difficult and unintuitive to trigger, so I don’t consider it to be that major. It seems to rely on some rather specific circumstances, so I am not sure it would even work on non-Nexus devices. I suspect it depends how heavily the lockscreen software has been customized.

JZ: What goes wrong when all those characters are entered into the password field? And what does the camera have to do with it?

CW: It appears to be some sort of buffer overflow combined with a race condition. I think the camera app helps slow things down, increasing the CPU load, making it more likely you can crash things in just the right way for the phone to recover itself to an unlocked state.

JZ: Why would the camera be accessible from the lockscreen anyway? Does anyone need access to their camera without a password?

CW: I think camera access from the lockscreen is stupid and can lead to an unattended phone being filled up with dick pics. But, hey, I guess it is there so you can grab your phone and quickly start videoing just as the police are about to bring down the baton on your head.

JZ: [Laughs] Well said, Chet. But seriously, Google issued a fix for this bug on Nexus devices. What about people who have other Androids?

CW: Hopefully the vendors who are on-board with Google’s new monthly update process will push out fixes for this. However, with the lockscreen customizations that Samsung, LG and others have, it’s unclear whether or not they will be able to consume the fix, or even if they are vulnerable.

JZ: Do you think we’ll see more lockscreen bypass bugs like this one?

CW: Bugs of this sort are hard to find, but we’ve seen similar holes before on both iOS and Android devices. So I don’t imagine this will be the last one we’ll hear about.

Image of Google Nexus courtesy of Bloomua /