Boredom led John Gordon to discover a technique that bypassed the lockscreen on his Android device.
By entering a long string of random characters into the password field after opening the phone’s camera app, Gordon said he was able to get to the home screen and eventually access anything stored on the device.
The hack is a privacy and security nightmare, albeit one that is only achievable if the attacker has physical access to the device and the victim uses a password to lock the phone, rather than a PIN or swipe pattern configurations. Google on Sept. 9 released an over-the-air security update that patched this vulnerability and a number of others.
“In the lockscreen environment there’s very little you can do, so with enough free time you can pretty much try everything that’s possible. It started when I was bored one day, poking around at my own personal Android phone,” said Gordon, a researcher with the University of Texas Information Security Office. “I noticed I could get to the copy/paste functionality, which is not something you’d expect to be necessary or available on the lockscreen. From there I thought about what that lets me do that might not otherwise be feasible. Pasting long strings turned out to be the answer.”
The vulnerability affects Android devices earlier than version 5.1.1; the excessively long character strings destabilize the camera app, causing it to crash and open the home screen. Gordon said, however, that while an attacker would have access to apps showing on the home screen, they would not be able to access a keyboard and soft buttons. He, instead, used the Android Debug Bridge (adb) to access any stored data.
“You have substantial access just from the crash to the home screen, you can run any app you want. However because of the crash you no longer have the soft buttons (back, home, menu, etc.) which may make navigation frustrating,” Gordon said. “Enabling USB debugging and connecting with adb is just a way to bypass that frustration and perform any action you wish on the phone.”
Gordon said he’s been experimenting with a number of techniques that could lead to lockscreen escapes, and that he’s reported other vulnerabilities to the Android security team that are exploited in a similar manner. Those bugs have not yet been patched.
“The key to the vulnerability is we’re able to insert a huge number of characters into the password field, more than it ever expected to handle,” Gordon said. “As the number of characters grows it causes the lockscreen process to become sluggish and eventually crash, leaving the home screen exposed.”
In a post to the University of Texas IOS website, Gordon described the attack in detail, along with a demonstration. He starts by opening the emergency call window in order to get a keyboard. From there, he starts typing random characters, copying and pasting them until he has a large string on the clipboard. His next step is to swipe open the camera app, which is still accessible from a locked screen, along with a settings icon. Clicking on that icon turns on a password prompt. Gordon said he pasted the saved character string as many times as possible until the UI crashed and the soft buttons disappeared.
Eventually, the camera app, he said, will crash and the home screen will be exposed. He said he was then able to navigate to the settings application and enabled USB debugging and access the device via adb.
“Luckily this behavior is only present in the password lockscreen, an uncommon configuration, so people using PIN or pattern locks are likely safe,” Gordon said. “With that being said, I would think the most security-conscious individuals tend towards using a full password, opening them up to attack.”
Gordon said that the bug was confirmed—and patched—on Google Nexus devices, other manufacturers’ Android phones could be vulnerable as well. Others may have custom emergency dialers or cameras that mitigate the vulnerability and technique from working, Gordon said.