​Unpatched Android Lollipop devices open to lockscreen bypass bug

A new Android bug has left Nexus devices and possibly others exposed to a simple lockscreen bypass.

There's an easy way to bypass the lockscreen in devices running Android 5.0 Lollipop - at least, those which have not yet received the latest security update.

Now that Google has released its September patch for Android Lollipop, which contained a fix for a lockscreen bypass, a security researcher at the University of Texas has detailed how to exploit the bug.

The hack involves overloading the password field after opening the camera app from the lockscreen. The lockscreen will then crash, giving whoever's in possession of the device full access to apps and data, even if encryption is enabled. An attacker could also run applications of their choice on the device by using the Android Debug Bridge.

It's likely that only a subset of Android devices are prone to the bug since the bypass only works on devices configured with a password lock, and not on those set up with a PIN code or pattern lock.

It's unclear whether all Android Lollipop devices are affected by the bug, either. The researcher only tested the bug on a Nexus device, which Google made a patch available for last Friday in the 5.1.1 release, though over the air updates can take longer to deliver.

Also, the hack depends on the ability to copy characters from the emergency dialler in order to paste them in the lockscreen password field. An owner of a Samsung Galaxy Note 5 reported on Reddit that they were unable to copy and paste in the dialler, which may negate a key element of the described attack. A video demonstrating the lockscreen bypass is below:

The researcher first reported the bug to Google in June, and after some to-ing and fro-ing with the company's Android Security Team, convinced it to upgrade the severity of the issue from 'low' to 'medium', thus qualifying for a $500 reward under Google's recently launched Android Security Rewards program.

After researchers revealed the widespread Stagefright bug in August, Google vowed to release security patches on a regular, monthly cycle, the first of which came on September 9.

Samsung, HTC, and LG also promised to work with carriers to deliver monthly updates, signalling that efforts were underway to resolve the problem between Google, devices makers, and carriers of delivering Android security updates to end users.

But when it comes to lockscreen bypasses, Apple and Google have blemishes on their records with iOS suffering from a string of simple bypasses in 2013. A more recently discovered bypass affecting iOS 8 however required additional hardware to pull off.

Read more about Android security

Show Comments