A vulnerability exists in Samsung devices running Android version 4.1.2 that could give unauthenticated users the ability to circumvent the screen lock and view the home screen, run apps, and reach out to contacts without successfully completing Android’s pattern lock, PIN, password or Face Unlock mechanisms.
Terence Eden, a UK-based mobility expert, wrote about and uploaded a video demonstrating the bug on his personal blog yesterday. As you can see in the video posted below, Eden locks his device’s screen before calling up the unlock screen and then presses the “emergency call” and the “in case of an emergency” (ICE) contact list buttons. From the ICE emergency contact screen, he holds down the home button. Just before the lock screen pops up, the home screen is displayed very briefly. As the home screen flashes, a user can touch one of the apps displayed and access it without authentication.
The bug is somewhat limited in its scope, Eden explains, because an attacker or otherwise unauthenticated user could only make calls in this way if the phone’s legitimate owner had the “direct dial” widget installed on his or her home screen. Application access is limited as well. Only apps that perform actions on launch, such as recording from the microphone, using the flash function, playing music, or interacting with a server are affected. Essentially, if an attacker or other unauthenticated user accesses an app with a launch function, the app will run in the background and only perform that or those actions.
Eden also notes that, depending on the launcher in use on a given device, repeatedly pressing the home button could allow the unauthenticated to see what is displayed on other sub-home screens, potentially giving an attacker the ability to view calendar, email and other installed widgets.
Eden tested the bypass on a Galaxy Note II N7100 running Android version 4.1.2. One of the devices was running on a factory install, while the other was rooted and both ran the default launcher and screen lock.
Users with affected devices can protect their personal data by not installing direct dial widgets on the home screen, removing calendar, email, and other widgets, making sure that there are no applications that automatically charge money upon launch or act maliciously in some other way on the home screen, and by establishing app-specific passwords for certain apps, according to Eden.
Eden says he attempted to contact Samsung and disclose the bug through a number of different avenues, but Samsung had not responded to his disclosures.
Threatpost also reached out to Samsung via email but did not hear back by the time of publication.
Two such screen lock bypass vulnerabilities popped up on Apple’s iPhone last month. One of them came about as the result of a glitch in the iOS 6.1 kernel and granted attackers access to users’ photos, contacts and other information. The other February flaw could give an attacker access to settings, contacts, voicemail and photos iOS 6.1 devices after an unauthenticated user attempts to make an emergency call but cancels it by turning the device off.