Patched Android Lockscreen Still a Threat

Google recently issued a patch for Nexus mobile devices to fix an Android Lollipop vulnerability that lets hackers bypass the lockscreen and gain control of mobile devices.

However, it could take weeks to months for manufacturers and service providers to roll out the patch for other Android devices.

University of Texas security researcher John Gordon discovered the vulnerability, dubbed “CVE-2015-3860,” and posted details and a video showing the how the lockscreen is bypassed on a Nexus device.

“The vulnerability appears to only be present in Android Lollipop. It was patched in build LMY48M of Android 5.1.1, released last week for Nexus users,” Gordon told LinuxInsider.

Hacker Scenario

The lockscreen vulnerability affects only devices that have an active password lock securing the phone. That type of lock exposes a text field to accept data entry.

Other locking methods, such as pattern or PIN locks, do not provide a text field. The hack needs text pasted into that field to crash the lockscreen.

Gordon found that entering a long string of text into the password field while the camera app was active would cause the phone to crash. When that happened, the hacker could gain access to the device’s homescreen without having to input a correct password.

Gordon was not definitive on how widespread the vulnerability might be, but he referred to reports on Reddit and YouTube saying that the copy/paste functionality was missing on non-stock phones.

“It may still be possible to insert a large number of characters manually or with the help of a USB / bluetooth peripheral,” Gordon said. “At least one YouTube comment suggested success on a Sony Xperia Z3, but I have only tested it on Nexus devices.”

Other OEMs use modified lockscreens and camera apps that apparently do not permit exploitation of the vulnerability.

However, lockscreen security in general is iffy, suggested Lysa Myers, a researcher for Eset.

“Lockscreen vulnerabilities happen on all mobile operating platforms,” she told LinuxInsider.

Indirect Patch Process

How great is the risk for non-Nexus Android device users?

“This is a major threat. Even when users feel confident about locking their phone with a strong password, if their device is exposed to this exploit, it does not really matter how strong the password is,” said Armando Leon, director of mobile at LaunchKey.

The main issue of Android lies in the lack of uniformity in software and security updates. Even when Google already released the fix, it comes down to manufacturers such as Samsung, Motorola, LG, HTC, among others, to patch their devices that still have that exploit, he told LinuxInsider.

“Afterwards, it depends on the carrier when carrier-specific devices need to be updated. Overall, it could take many months for most users to receive the patches. Some unlocked phones that are not really tied up to a carrier could get the patches fairly soon, but even that might take a few weeks. The worst part is that some devices might never receive the security update,” Leon said.

What Could Happen

Hackers can gain full control of a phone or tablet by exploiting this vulnerability. That can result in loss of personal data, as well as huge inconvenience.

“This is an interesting but difficult attack to carry out with any scale,” noted Cameron Camp, a resercher with Eset.

“There are few examples to point to in the wild right now, as it would take a dedicated attacker with a specific target phone of a specific version, and then the attacker would have to spend some uninterrupted time with the device,” he told LinuxInsider.

That said, the consequences for the user who is targeted could be major, said LaunchKey’s Leon. A hacker who managed to obtain an unpatched device could bypass the lockscreen altogether, thus gaining access to all of the data on the device — including applications, contacts, emails, text messages, photos, etc.

Prevention Beats Cure

Mobile device users should take three critical steps to protect themselves against the vulnerability, said Xu Xin, chief mobile security expert at 360 Total Security.

They should keep systems updated with the latest version. They should install antivirus software and keep the virus database updated in real time, periodically scanning their mobile phone. Also, they should close the USB debugging function, he told LinuxInsider.

Do not stop there, suggested Leon. Users need to find out if their version is affected by going into the Settings screen’s About section.

“If the version matches 5.0 up to 5.1.1 on a non-Nexus device, then they are probably vulnerable. If unsure, they need to check with the manufacturer or carrier to see if a recent patch fixed it, or if there is one coming down the line,” he said, noting that the most immediate way to protect themselves is by switching from a password to a PIN or pattern-based lock screen.