If you’re using a smartphone that runs Android’s Lollipop OS and you thought you’d be protect with a password, researchers at Texas University in Austin are here to give you some bad news.
According to one of their recent discoveries, there’s a bug that affects 21 percent of Android devices in use and it basically allows anyone to unlock your password-protected device by bypassing the lock screen with an extremely lengthy password. In other words, your device is prone to hacking simply because overloading the lock screen with text unlocks it.
Researchers mentioned that the vulnerability affects only the smartphones running Google’s Android Lollipop OS that use a password for protection; you’re on the safe side if you’ve chosen the pattern or the PIN security.
All that the hacker needs to do is overwhelm the lock screen with enough text typed into the password field. Before you know it, the OS crashes and reveals the home screen in response. Et voilà, the hacker is given full access to the device, in spite of any previous encryption.
John Gordon from Texas University explained rather simply that “by manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lock screen, causing it to crash to the home screen.”
After finding out about the security hole Google promptly released a fix for their Nexus devices, describing the vulnerability as of “moderate” severity. As far as the company knows, the bug hasn’t been actively exploited by attackers, at least not on a large scale.
In a demonstration of the attack performed by the researchers, the Google Nexus 4 smartphone crashed in a few steps; the ‘attacker’ had used the emergency call function in order to copy hundreds of characters to the clipboard. Next up, he tried using the camera which prompted the password entry screen; after pasting the long text string into the password box, the Nexus crashed.
Out of the billion Android devices that are currently in use around the world, only 20 percent have been updated to run Google’s latest OS version called Lollipop, including new devices from Sony, Samsung, and LG.
A software update is what’s needed to fix the bug, but Google won’t be releasing one soon, so the users have to rely on the smartphone manufacturer and their mobile phone operator to roll out the update. The attack cannot be performed remotely, and users who worry about the attack should change their security preferences to a PIN code or a pattern unlock, instead of a password.
Image Source: VPN Answers