Android users running Lollipop that rely on a password instead of a PIN, fingerprint or pattern lock to protect their devices may want to consider switching to one of the other security measures. That’s because researchers at the University of Texas in Austin have found an incredibly easy way to crash the lock screen and gain access to the device.
The vulnerability, which exists in Android Lollipop 5.0 through 5.1.1 (before build LMY48M), requires an attacker to have physical access to a device and that said device be using a password as its security measure.
As seen in the clip above, one needs to open the emergency call window, enter in a bunch of characters (such as asterisks), then copy and paste the string repeatedly until it’s very long. Then, head back to the lock screen and swipe left to open the camera, swipe to open the notification drawer and tap the settings icon. This will load a password prompt.
From there, it’s just a matter of pasting the character string as many times as necessary in order to crash the UI.
Researchers privately reported the vulnerability to Google’s Android security team on June 25. On July 1, the vulnerability was confirmed and assigned a low severity rating which was bumped up to moderate a couple of weeks later. Android 5.1.1 build LMY48M was released on September 9 and contains a fix for Nexus devices.
The best course of action while you wait on a patch is to simply avoid using a password on the lock screen, relying instead on a PIN, fingerprint or pattern lock.