Despite
all the news about the potential hacking of Google Android phones using the
Stagefright as well as the Certifi-Gate vulnerabilities as reported in my blog article
entitled “Check
Point Software Technologies discover Certifi-gate – How to Control an Android
Lollipop smartphone and Why fragmentation is at fault” non are as scary as
the one I’m about to reveal.
Turns
out there is dead simple hack for Google Android 5.0 Lollipop smartphones.
Researchers
at University of Texas on Tuesday September 15th 2015 revealed that
it's possible to hack into any Google Android 5.0 Lollipop except the latest
version of Google Android 5.1.1 Lollipop by simply entering a very long
password attempt as reported in the article “Android
5 lock-screens can be bypassed by typing in a reeeeally long password. In 2015”,
published16 Sep 2015 by Richard Chirgwin, UK Register.
Their
post can be seen at the Google Android Open Source Project issue tracker in the
post titled “Android
full lockscreen bypass - 5.1.1 PoC”. According to the date on the thread,
this vulnerability had been in the wild since Thursday June 25th, 2015
This
defeat works only on Google Android 5.0 Lollipop smartphones that have been
locked using a lock-screen password and have not had the latest update added as
yet. It doesn't work on pattern lock or PIN (Personal Identification Number)
lock.
University of Texas
discovers vulnerability in Google Android 5.0 Lollipop – How to hack a Google
Android 5.0 Lollipop
Apparently
older versions of Google Android 5.0 Lollipop can have their lockscreen
password mechanism disable by simply typing too many characters in the password
as reported in the article “New
Android lockscreen hack gives attackers full access to locked devices”,
published Sep 15, 2015 by Dan Goodin, Ars
Technica.
This
causes the security mechanism to crash and giving the person access to the
device, even if the file system is encrypted as shown in the video below.
The
technique begins by adding a large number of characters to the Emergency Call
window that normally comes up when you're locked out of your Google Android
device after too many attempts to login. The hacker than swipes open the camera
from the locked phone, access the options menu.
Then
he pastes the characters into the resulting password prompt. Surprisingly,
instead of returning an error message, the handset lockscreen password
mechanism crashes, giving the hacker aces to the smartphone.
The
smartphone hacker can even run applications as well as enable developer access
to the smartphone. Still, as luck would have it, Google Android 5.0 Lollipop
only accounts for just 18.1% of all Google Android devices as pointed out in my
Geezam blog article entitled “Why
Android Fragmentation Worsens as Apple iOS 8 adoption almost complete”.
How to prevent your
Google Android 5.0 Lollipop smartphone from being hacked – Use a pattern lock
or PIN
The
simple lesson here is really to lock your Google Android smartphone using a
pattern lock or PIN (Personal Identification Number) lock as suggested in the
article “Huge
Android lockscreen vulnerability lets you unlock password-protected Lollipop
devices”, published Sep 16, 2015 By Chris Smith, BGR.
But
it's still surprising that in 2015, on the cusp of the launch of another Google
OS, Google Android 6.0 Marshmallow as reported in my Geezam blog article entitled “Google
Event on September 29th 2015 to launch Nexus running Marshmallow”, that
Android still has this problem.
Still,
if you want to be able to use the password lock mechanism, Google has issued a
patch which has automatically gone out to all Google Nexus smartphones.
T-Mobile has already begun issuing OTA (Over the air) updates, so yours may not
be too far behind.
So
this is really a storm in a teacup as you don’t need lockscreen password as
that’s old hat. Nonetheless, now's not a good time to lose your Google Android
smartphone, as word of this will get out and smartphone thefts will start to
rise once more.
No comments:
Post a Comment