My Thoughts on Technology and Jamaica: University of Texas discovers Google Android 5.0 Lollipop hack – How to unlock any Google Android 5.0 Lollipop smartphone

Wednesday, September 16, 2015

University of Texas discovers Google Android 5.0 Lollipop hack – How to unlock any Google Android 5.0 Lollipop smartphone

Despite all the news about the potential hacking of Google Android phones using the Stagefright as well as the Certifi-Gate vulnerabilities as reported in my blog article entitled “Check Point Software Technologies discover Certifi-gate – How to Control an Android Lollipop smartphone and Why fragmentation is at fault” non are as scary as the one I’m about to reveal.

Turns out there is dead simple hack for Google Android 5.0 Lollipop smartphones.

Researchers at University of Texas on Tuesday September 15th 2015 revealed that it's possible to hack into any Google Android 5.0 Lollipop except the latest version of Google Android 5.1.1 Lollipop by simply entering a very long password attempt as reported in the article “Android 5 lock-screens can be bypassed by typing in a reeeeally long password. In 2015”, published16 Sep 2015 by Richard Chirgwin, UK Register.


Their post can be seen at the Google Android Open Source Project issue tracker in the post titled “Android full lockscreen bypass - 5.1.1 PoC”. According to the date on the thread, this vulnerability had been in the wild since Thursday June 25th, 2015

This defeat works only on Google Android 5.0 Lollipop smartphones that have been locked using a lock-screen password and have not had the latest update added as yet. It doesn't work on pattern lock or PIN (Personal Identification Number) lock.

University of Texas discovers vulnerability in Google Android 5.0 Lollipop – How to hack a Google Android 5.0 Lollipop

Apparently older versions of Google Android 5.0 Lollipop can have their lockscreen password mechanism disable by simply typing too many characters in the password as reported in the article “New Android lockscreen hack gives attackers full access to locked devices”, published Sep 15, 2015 by Dan Goodin, Ars Technica

This causes the security mechanism to crash and giving the person access to the device, even if the file system is encrypted as shown in the video below.


The technique begins by adding a large number of characters to the Emergency Call window that normally comes up when you're locked out of your Google Android device after too many attempts to login. The hacker than swipes open the camera from the locked phone, access the options menu.

Then he pastes the characters into the resulting password prompt. Surprisingly, instead of returning an error message, the handset lockscreen password mechanism crashes, giving the hacker aces to the smartphone.

The smartphone hacker can even run applications as well as enable developer access to the smartphone. Still, as luck would have it, Google Android 5.0 Lollipop only accounts for just 18.1% of all Google Android devices as pointed out in my Geezam blog article entitled “Why Android Fragmentation Worsens as Apple iOS 8 adoption almost complete”.

How to prevent your Google Android 5.0 Lollipop smartphone from being hacked – Use a pattern lock or PIN

The simple lesson here is really to lock your Google Android smartphone using a pattern lock or PIN (Personal Identification Number) lock as suggested in the article “Huge Android lockscreen vulnerability lets you unlock password-protected Lollipop devices”, published Sep 16, 2015 By Chris Smith, BGR.

But it's still surprising that in 2015, on the cusp of the launch of another Google OS, Google Android 6.0 Marshmallow as reported in my Geezam blog article entitled “Google Event on September 29th 2015 to launch Nexus running Marshmallow”, that Android still has this problem.

Still, if you want to be able to use the password lock mechanism, Google has issued a patch which has automatically gone out to all Google Nexus smartphones. T-Mobile has already begun issuing OTA (Over the air) updates, so yours may not be too far behind.

So this is really a storm in a teacup as you don’t need lockscreen password as that’s old hat. Nonetheless, now's not a good time to lose your Google Android smartphone, as word of this will get out and smartphone thefts will start to rise once more.



No comments: