First discovered by self-confessed mobile enthusiast Terence Eden, he outlines the flaw that allows an attacker to bypass the device's pattern lock, PIN code, longer alphanumeric password, and even the face unlock security feature.
It's not clear if the flaw lies within Samsung's devices or the Android platform, or both. However, this flaw may not be limited to Samsung's Note II or Android 4.1.2, and users and IT managers alike should test their devices immediately.
From the lock screen, an attacker can hit the emergency contacts button. Then, by holding down the home button, the unlocked home screen is momentarily displayed. That alone is enough to see what's on the home screen. Getting the timing right, users can direct dial and launch apps—though the attacker can only see what's briefly displayed rather than directly use the apps.
Described as a "reasonably small vulnerability" by Eden with "limited scope," he disclosed the flaw because Samsung doesn't have a "responsible disclosure team."
Five days later, he uploaded this video:
Eden tested this on just one class of handset, the latest U.K. variant of Android 4.1.2 "Jelly Bean" running on two Samsung Galaxy Note II devices. One was rooted, and the other not. Both were running the stock launcher and lock screen.
He notes that changing to a different launcher or third-party lock screen "will not protect you if it accesses the emergency dialer."
Eden highlights the privacy implications over the unauthorized downloading of data. While apps are automatically run in the background when the lock screen is bypassed, "there is also the privacy concern that an attacker could see what apps you have installed on your homescreen—or see your calendar/emails if you use a widget which displays them."
It comes only a couple of weeks after a similar flaw was discovered in the lock screen of Apple's iPhone, running the latest iOS 6.1 software. In both instances, with the rise of bring-your-own-device (BYOD) and the rapid uptake of iPhones and Android-based devices, has left enterprises ultimately vulnerable, despite any preventative policy measures or back-end enhanced security mechanisms to prevent data breaches, leaks or hacking attempts.
Despite a couple of updates by Apple to iOS 6.1 since then, no fix has yet been released. Reports suggest iOS 6.1.3, due out in the next week or two, will in fact fix the flaw.
Update at 10:30 a.m. ET: Google declined to comment. Questions remain with Samsung but still haven't heard back.