Elevation of Privilege Vulnerability Could Bypass “Screen Lock” Of Android 5.0 (CVE-2015-3860)

Warning: Illegal string offset 'filter' in /home/crypton1/public_html/mobilesecuritythreat.com/wp-includes/taxonomy.php on line 1409

android-lockUT Austin ISO (Information Security Office) has detected a bug in Android 5.x that allows hackers to bypass the locked screen of the phone and access the home screen or other functions of the phone. For the purpose of the attack however the attacker must have physical access to the phone and the screen should have been locked using a password. The technique will not work on the screens using a numerical pin or lock pattern.

The bug is functional on all Android 5.x versions except the latest 5.1.1 version or LMY48M build. Android has fixed the bug in the 5.1.1 version but there are millions of Android devices that operate on other 5.x versions of Android and are vulnerable to this attack.

The attack is executed using a complicated method of using a large string and manipulating it in the password field to crash the locked screen and exposing home screen. Attackers follow the method which requires the camera app to be active while the attacker manipulates a very large string in the password field of the phone.

The attack method includes accessing the emergency call window from the mobile screen. Here the attackers insert a random string of characters which can include numbers or alphabets. They then copy these characters and paste them into the screen thereby increasing the length of the string. This is repeated until they are unable to copy the string from the screen any further.

Once this has been done, that attackers go back to the lock screen and swipe left for activating the camera and then pull down the notification drawer from the top of the screen. In the top right corner of the pulled down notification drawer, they then tap on the settings icon causing the appearance of the password prompt. Here they tap the screen and paste the string copied from the emergency call window. It is repeated several times till the user interface crashes and the buttons to the screen’s bottom disappear which results in camera being expanded to the full screen. After a short while, the camera app crashes and the unlocked home screen appears on the screen.

The technique is simple for anyone to use and therefore once they gain a physical access to your Android phone, they can easily unlock it and access your phone’s data or other settings. It is therefore advisable that if you are using a phone that features Android 5.x, then get it upgraded to 5.1.1. If your phone manufacturer does not support an upgrade or is slow at providing an update to your Android Operating System, you can simply avoid this attack by changing the password protection method to either a pin based screen lock or a pattern lock.

The methods to protect your phone are simple however in most of the cases the vulnerability caused by a system bug like this expands exponentially due to lack of information on part of the users.

Attack scenario

  • Open the Emergency dialer screen.
  • Type a long string of numbers or special characters in the input field untill limit exhausts.Don’t forget to copy the long string ,coz it will work as a master key.
  • Now Open camera application and click on setting icon found in notification bar without closing the camera application
  • Now, it will ask to the input the password, paste the earlier copied continuously to the input field of the password, to create an even larger string.
  • Come back to camera and divert yourself towards clicking photos or volume button with simultaneously tapping the password input field.

A complete demo of the technique can be viewed in this video link.

Share Button
Tagged with 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>