Jump to content
Login new information ×
Login new information

Samsung flaw allows attackers to bypass Android lock screen

nsane.forums

By nsane.forums
in Security & Privacy News

Recommended Posts

nsane.forums

nsane.forums

Posted
Posted

Tested on an Samsung Galaxy Note II with Android 4.1.2, an attacker can bypass the device's lock screen, albeit momentarily, to access functions and view data on the device.

Attackers are able to bypass the lock screen on the Samsung Galaxy Note II smartphone, a device that the Korean electronics giant is pitching to enterprise customers.

First discovered by self-confessed mobile enthusiast Terence Eden, he outlines the flaw that allows an attacker to bypass the device's pattern lock, PIN code, longer alphanumeric password, and even the face unlock security feature.

It's not clear if the flaw lies within Samsung's devices or the Android platform, or both. However, this flaw may not be limited to Samsung's Note II or Android 4.1.2, and users and IT managers alike should test their devices immediately.

From the lock screen, an attacker can hit the emergency contacts button. Then, by holding down the home button, the unlocked home screen is momentarily displayed. That alone is enough to see what's on the home screen. Getting the timing right, users can direct dial and launch apps—though the attacker can only see what's briefly displayed rather than directly use the apps.

Described as a "reasonably small vulnerability" by Eden with "limited scope," he disclosed the flaw because Samsung doesn't have a "responsible disclosure team."

Five days later, he uploaded this video:



Eden tested this on just one class of handset, the latest U.K. variant of Android 4.1.2 "Jelly Bean" running on two Samsung Galaxy Note II devices. One was rooted, and the other not. Both were running the stock launcher and lock screen.

He notes that changing to a different launcher or third-party lock screen "will not protect you if it accesses the emergency dialer."

Eden highlights the privacy implications over the unauthorized downloading of data. While apps are automatically run in the background when the lock screen is bypassed, "there is also the privacy concern that an attacker could see what apps you have installed on your homescreen—or see your calendar/emails if you use a widget which displays them."

It comes only a couple of weeks after a similar flaw was discovered in the lock screen of Apple's iPhone, running the latest iOS 6.1 software. In both instances, with the rise of bring-your-own-device (BYOD) and the rapid uptake of iPhones and Android-based devices, has left enterprises ultimately vulnerable, despite any preventative policy measures or back-end enhanced security mechanisms to prevent data breaches, leaks or hacking attempts.

Despite a couple of updates by Apple to iOS 6.1 since then, no fix has yet been released. Reports suggest iOS 6.1.3, due out in the next week or two, will in fact fix the flaw.

Update at 10:30 a.m. ET: Google declined to comment. Questions remain with Samsung but still haven't heard back.

view.gifView: Original Article
Link to comment
Share on other sites
  • Replies 8
  • Views 1.6k
  • Created
  • Last Reply
GRiM

GRiM

Posted
Posted

Funny how this guy is concerned about security yet he seems to be fine with showing his wife's phone number to the world.

Link to comment
Share on other sites
LiLmEgZ

LiLmEgZ

Posted
Posted

Well if they can do this on the Note 2 with the provided Android version shown... they probably can do this on the Galaxy S3 and alike

Link to comment
Share on other sites
notegalaxy

notegalaxy

Posted
Posted

just tried on my note 2 running Android 4.2.2 using a Cyangenmod varient of ROM, and this does not work. I believe it seems samsung specific. ICE contacts is a samsung app so think the vunerability lies there...

Link to comment
Share on other sites
Dodel

Dodel

Posted
Posted

just tried on my note 2 running Android 4.2.2 using a Cyangenmod varient of ROM, and this does not work. I believe it seems samsung specific. ICE contacts is a samsung app so think the vunerability lies there...

It does state in the first paragrahph under the video link, that this was test on a STOCK firmware.

Link to comment
Share on other sites
notegalaxy

notegalaxy

Posted
Posted

just tried on my note 2 running Android 4.2.2 using a Cyangenmod varient of ROM, and this does not work. I believe it seems samsung specific. ICE contacts is a samsung app so think the vunerability lies there...

It does state in the first paragrahph under the video link, that this was test on a STOCK firmware.

yes i got that... hence why I checked on non samsung firmware to narrow down where the vulnerability lies.

Link to comment
Share on other sites
GRiM

GRiM

Posted
Posted

just tried on my note 2 running Android 4.2.2 using a Cyangenmod varient of ROM, and this does not work. I believe it seems samsung specific. ICE contacts is a samsung app so think the vunerability lies there...

It does state in the first paragrahph under the video link, that this was test on a STOCK firmware.

yes i got that... hence why I checked on non samsung firmware to narrow down where the vulnerability lies.

Well ofcourse its software specific, Its to do with the Samsung lock screen/UI as it clearly shows so trying a CM rom was pointless. Its obvious it wasnt a hardware issue.

Link to comment
Share on other sites
Ganxxta

Ganxxta

Posted
Posted

Android ..... security can be easily bypassed ... :P :P :P

Wrong:

Software ..... security can be easily bypassed ... :P :P :P

Btw. Its a Samsung "feature", not an Android problem :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...