Android 5.x lock screen susceptible to attack using long password

By Shawn Knight ยท 6 replies
Sep 16, 2015
Post New Reply
  1. Android users running Lollipop that rely on a password instead of a PIN, fingerprint or pattern lock to protect their devices may want to consider switching to one of the other security measures. That’s because researchers at the University of Texas in Austin have found an incredibly easy way to crash the lock screen and gain access to the device.

    The vulnerability, which exists in Android Lollipop 5.0 through 5.1.1 (before build LMY48M), requires an attacker to have physical access to a device and that said device be using a password as its security measure.

    As seen in the clip above, one needs to open the emergency call window, enter in a bunch of characters (such as asterisks), then copy and paste the string repeatedly until it’s very long. Then, head back to the lock screen and swipe left to open the camera, swipe to open the notification drawer and tap the settings icon. This will load a password prompt.

    From there, it’s just a matter of pasting the character string as many times as necessary in order to crash the UI.

    Researchers privately reported the vulnerability to Google’s Android security team on June 25. On July 1, the vulnerability was confirmed and assigned a low severity rating which was bumped up to moderate a couple of weeks later. Android 5.1.1 build LMY48M was released on September 9 and contains a fix for Nexus devices.

    The best course of action while you wait on a patch is to simply avoid using a password on the lock screen, relying instead on a PIN, fingerprint or pattern lock.

    Permalink to story.

  2. 9Nails

    9Nails TechSpot Paladin Posts: 1,215   +177

    Too easy! I would have guessed that they (Google) set a password max length so that it doesn't crash the input. Oh well... that's why they make version numbers!
  3. lipe123

    lipe123 TS Evangelist Posts: 718   +236

    Who actually uses a password though?
  4. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    I'm wondering myself. Personally I don't use anything but if my phone had a fingerprint scanner I'd probably use it but it's only a matter of time before we read in these articles that it can easily be cracked as well.
  5. When Touch ID first launched, it was hacked within like a day from a group in Germany, if I remember correctly. I don't know what the security status is now though.
  6. Skidmarksdeluxe

    Skidmarksdeluxe TS Evangelist Posts: 8,647   +3,274

    Why did it take so long to be hacked? Couldn't they find the fingerprint scanner? :confused:
    Last edited: Sep 17, 2015
  7. MonsterZero

    MonsterZero TS Evangelist Posts: 440   +223

    With Nova launcher running android 5.0.1 on note 4, from the emergency dial screen you cannot select or copy and paste.

    Take your stock android bugs back to where you came from.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...