🔒 Closed New Android lockscreen häçk gives attackers full access to locked devices

[jheayahr]

The häçk involves dumping an extremely long string into the password field after swiping open the camera from a locked phone. Unless updated in the past few days, devices running 5.0 to 5.1.1 will choke on the unwieldy number of characters and unlock, even though the password is incorrect. From there, the attacker can do anything with the phone the rightful owner can do.

The following video demonstrates the attack in action. The technique begins by adding a large number of characters to the emergency call window and then copying them to the Android clipboard. (Presumably, there are other ways besides the emergency number screen to buffer a sufficiently large number of characters.) The häçker then swipes open the camera from the locked phone, accesses the options menu, and pastes the characters into the resulting password prompt. Instead of returning an error message, vulnerable handsets unlock.

You do not have permission to view the full content of this post. Log in or register now.


Fortunately, the vulnerability was introduced in version 5, so the number of affected handsets is only a small fraction of the overall Android user base. Vulnerable users who can't get an update or don't want to wait for one to become available can switch to a PIN or pattern-based lockscreen, neither of which is susceptible to the häçk.

 

[XQZme]

thanks for the information ts

 

[jheayahr]

thanks for the information ts

No probs TS. If you have this just avoid using password locks

 

[🤖]

Dear jheayahr,

Since 2 years have passed since the last reply in this thread, I am locking it to prevent necroposting. Feel free to start a new thread or contact any forum staff if you want this to be reopened.

Thread closed.