A weakness in the Android 5 lock screen has been discovered by researchers at the University of Texas at Austin.
John Gordon, a network security analyst in the information security office at the University of Texas at Austin, released the post explaining the vulnerability. He spoke to The Guardian and said: “By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilise the lock-screen, causing it to crash to the home screen.”
From the locked screen, one can easily bypass the security. The potential attacker can open the emergency call window, fill it with characters, then copy those into the password field via the settings option on the locked screen until the user interface crashes. “At this point”, says the post, “it is possible to enable USB debugging normally and access the device to issue arbitrary commands or access the files on the device with the full permissions of the device owner.”
The vulnerability was reported privately to Google earlier this year, who promptly built a patch and made the issue public in June.
Unless devices have been fully patched, they may still be open to this vulnerability. The BBC reports that around 21 percent of Android users run operating systems which might be affected and that the vulnerability could only be exploited if users had chosen a password as opposed to a lock pattern or pincode.
Google responded to this vulnerability by saying “we have not detected customer exploitation of the newly reported issues,” on a recent security bulletin. The company released a fix on Wednesday for its Nexus devices.