Samsung flaw allows attackers to bypass Android lock screen

Samsung flaw allows attackers to bypass Android lock screen

Summary: Tested on an Samsung Galaxy Note II with Android 4.1.2, an attacker can bypass the device's lock screen, albeit momentarily, to access functions and view data on the device.

SHARE:

Attackers are able to bypass the lock screen on the Samsung Galaxy Note II smartphone, a device that the Korean electronics giant is pitching to enterprise customers.

First discovered by self-confessed mobile enthusiast Terence Eden, he outlines the flaw that allows an attacker to bypass the device's pattern lock, PIN code, longer alphanumeric password, and even the face unlock security feature.

It's not clear if the flaw lies within Samsung's devices or the Android platform, or both. However, this flaw may not be limited to Samsung's Note II or Android 4.1.2, and users and IT managers alike should test their devices immediately.

From the lock screen, an attacker can hit the emergency contacts button. Then, by holding down the home button, the unlocked home screen is momentarily displayed. That alone is enough to see what's on the home screen. Getting the timing right, users can direct dial and launch apps—though the attacker can only see what's briefly displayed rather than directly use the apps.

Described as a "reasonably small vulnerability" by Eden with "limited scope," he disclosed the flaw because Samsung doesn't have a "responsible disclosure team."

Five days later, he uploaded this video:

Eden tested this on just one class of handset, the latest U.K. variant of Android 4.1.2 "Jelly Bean" running on two Samsung Galaxy Note II devices. One was rooted, and the other not. Both were running the stock launcher and lock screen. 

He notes that changing to a different launcher or third-party lock screen "will not protect you if it accesses the emergency dialer."

Eden highlights the privacy implications over the unauthorized downloading of data. While apps are automatically run in the background when the lock screen is bypassed, "there is also the privacy concern that an attacker could see what apps you have installed on your homescreen—or see your calendar/emails if you use a widget which displays them."

It comes only a couple of weeks after a similar flaw was discovered in the lock screen of Apple's iPhone, running the latest iOS 6.1 softwareIn both instances, with the rise of bring-your-own-device (BYOD) and the rapid uptake of iPhones and Android-based devices, has left enterprises ultimately vulnerable, despite any preventative policy measures or back-end enhanced security mechanisms to prevent data breaches, leaks or hacking attempts.

Despite a couple of updates by Apple to iOS 6.1 since then, no fix has yet been released. Reports suggest iOS 6.1.3, due out in the next week or two, will in fact fix the flaw.

Update at 10:30 a.m. ET: Google declined to comment. Questions remain with Samsung but still haven't heard back.

Topics: Security, Android, Samsung, Smartphones

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

19 comments
Log in or register to join the discussion
  • What is it with lock screen?

    Always dealing with emergency contacts.

    I think some serious path coverage testing is needed in that section of code. Industry wide.
    Bruizer
  • Also affects S3

    I can get mine to flash the homescreen momentarily. I just about got the gallery to launch after 4 tries. It's not unlocked for long, less than a second maybe.
    On the grand scale of things this rates at - meh, oh no, next.
    Little Old Man
  • S3 Affected differently?

    Galaxy S3: I can make this happen in a slightly different approach. Holding down my home button does nothing. Double clicking the home button does briefly show me my home screen. Though it's quite fleeting. I can't imagine I'd get enough time to click on much... though now I must try!
    Adam Wood
    • S Voice?

      S Voice being configured for pressing home twice could maybe cause that. Not entirely sure, haven't tried it myself. You can always try too change the settings and see.
      Natanael_L
      • It cuts the visible viewing time of the home screen in half...

        so it's even harder to quickly try to select something on the homescreen.

        I had unchecked the setting to bring up S-Voice via the home button so that the open apps list pops up quicker. I use Google Voice Search so not being able to double tap the home button to bring up S-Voice makes no difference to me.
        laequis
  • ...another quirk.

    Double clicking the S3 home button brings up my voice commands. So I see my home screen temporarily then it launches my voice options. Doing it again I only get my voice screen displayed differently. I'd like to test and see if this will actually carry out commands while it's locked.
    Adam Wood
  • Android exploits

    ALL Android devices which have adb enabled (which is default for almost all rooted devices/custom roms) can be hacked if they have a pattern. I dont know why so many people freak out about these exploits. If you're rooted, you can just disable the emergency dialer, disable adb and disable nfc, you're safe!
    ktkwon00
    • Safe?

      Sure, another band-aid for security... rooting violates your contract and warranty and disabling the feature may one die put you in danger... Great tip !
      Adam Wood
      • oops

        day* not die.
        Adam Wood
      • Danger?

        Only if you add buggy software. The standard SuperUser root management apps is reasonably secure, so that alone won't increase the risk.
        Natanael_L
    • Fixed in 4.2.2

      Like many of these things, this particular backdoor was fixed as of 4.2.2, which requires that you accept each computer which uses adb.

      In addition, adb isn't usually enabled - it's not the default in CyanogenMod, anyway, and requires that you explicitly go and enable it.

      If you make yourself insecure, you're making yourself insecure.
      lukegb
  • As of now, only BlackBerrys are secure at the lock screen

    As of now, only BlackBerrys are secure at the lock screen
    sagec
    • Remember:

      A secure turd is still a turd.
      Justin McNair
    • As is WP8 to the best of my knowledge.

      And no, WP8 is decidedly not a turd, thank you Justin McNair.
      mountjl
      • No, because it is ...

        .... of the fluid type. ;)
        Natanael_L
  • Copying Apple again?

    Wherever Apple goes, Samsung has to follow.

    After Apple re-introduced their emergency pizza option, it was only a matter of time before Samsung copied it. Lol
    wright_is
  • Remember "scrambled" cable

    This demo brought back a slightly embarrassing memory of watching a "premium" channel that had been locked, at my babysitters home, in the hopes that the "flashes" of discernable clarity might extend into a full fledged glimpse!I Yes, she caught me and I'll never forget what she taught me... These security glitches can, in the right circumstance, lead to an interesting glance! (Although it does seem like much ado about nothing...)
    1bmwdrvr1
  • I have a solution

    If I ever get a decent android device (such as one of these) Probably the first thing I would do is download AVG Mobilation, so I could prevent crap like this (presumably).
    Richard Estes
  • My Galaxy S4 doesn't do this.

    Following what happens in the video... while displaying emergency contacts, holding down the home button has no effect. ICE contacts are still displayed. I just bought this phone on July 30, 2013.
    DittoHeadStL