A recently discovered vulnerability in Android Lollipop allows an attacker to bypass the password lockscreen on a mobile device and gain full access. The flaw was discovered by a security researcher at the University of Texas at Austin, who said he has already alerted Google about his findings.
The exploit requires an attacker to have physical access to the device but it will only work if the device’s owner has secured it with a password. The attack won’t be successful if the user has secured the device with a pattern or pin configuration. The exploit gives the attacker complete access, even in cases where encryption has been enabled.
A Frighteningly Easy Attack
The vulnerability only exists in devices that run any version of Android 5.0 to 5.1.1 Lollipop. Although a patch for the flaw has already been published for Google Nexus devices, that still leaves a large number of phones vulnerable to attack. Even more troubling, the attack is relatively simple to execute, and doesn’t require any specialized knowledge.
To bypass the password, all an attacker has to do is input a sufficiently long string of symbols into the password field while the camera app is running. Doing so causes the lockscreen to crash to the home screen, at which point the attacker has complete access to the device.
John Gordon, the security analyst at UT’s information security office, first reported the flaw to Google in June, at which point the company managed to reproduce the bug and assigned it a low severity level.
Two weeks later, Google increased the bug’s severity rating to moderate, but it wasn’t until the middle of August that it released a patch for the flaw. The company released Android 5.1.1 build LMY48M on September 9 with the fix for the vulnerability, and made the issue public Monday.
More Bad Security News for Android
The lockscreen vulnerability isn’t necessarily the biggest security hole in the world. But 2015 has been a difficult year for Android as the operating system has made a number of headlines because of security flaws and exploits.
In July, for instance, mobile security company Zimperium announced the discovery of the Stagefright flaw, which allows attackers to exploit Android’s media library to deliver malicious code to a device. That vulnerability was much more widespread than the lockscreen flaw, affecting up to 95 percent of all Android devices on the market. The Stagefright flaw continues to bedevil Google, which has yet to address all of the vulnerabilities that researchers have found with the media library.
However, the company has become more aggressive in addressing potential flaws in the Android OS, and dealing with them more quickly. In June, Google unveiled a new Android bug bounty program, offering cash incentives to researchers who discover and report flaws in the mobile operating system.
This entry passed through the Full-Text RSS service – if this is your content and you’re reading it on someone else’s site, please read the FAQ at fivefilters.org/content-only/faq.php#publishers.
