security experts from the University of Texas at Austin, John Gordon (John Gordon) published a video demonstration hack OS Android 5.x. He found the vulnerability bypasses password protection Screen lock “bare hands” in a few minutes.
The technique is simple and comes down to an error at first call in the module user interface, and then in the embedded application “camera”. After her crash lock is released and the user is taken to the home screen. Since the 2:45 mark in the demo below, you can go directly to the point of an error in the application “camera».
Crash application occurs whenever it tries to handle large or unusual for a data stream. When the phone is locked, the user is still able to use the camera. The developer did this so that you do not miss an important point, entering a password.
In addition to the camera from a blocked phone number entry is available rescue. This is even more clear the need, when we are talking about life and death, every second counts. The only thing wrong programmers Google, it is in the implementation of these functions.
Instead of short emergency number the user can enter in the field for a set of random characters, up to ten thousand characters. Gordon scored a dozen of stars and copy / paste them via clipboard, doubling the length of the string for each iteration. At the eleventh repetition limit has been reached, and the team selection / paste no longer worked. He then copied the resulting string to the clipboard again and start the camera.
In the recording mode the smartphone can pull the top bar menu, which features icons and fast mode switching shortcut settings. However, when running blocking all inactive. If you try to enter the settings again password input window appears. Gordon did him old trick: put the previously copied line (about 10 kiloznakov) and doubles it several times through the clipboard as long as the GUI went out with an error, opening is in the background of the camera in full screen mode.
Gordon finished off protection Android, loading the camera portion of the image, constant refocusing and zooming. Spending free memory, it slowed everything harder, until at some point she came to rest on the UI data (the line with the tens of thousands of stars). At this point, it was closed in error and Gordon got access to an unlocked home screen.
The experiment was carried out on the Nexus 4 Android 5.1.1. Way to get a rough and relatively long to implement. Gordon took about eight minutes, during which he constantly tormented clipboard and camera. Using the hardware keys for shooting greatly accelerates the process.
The researcher described the discovered security hole Android 5.x on the university website after correcting its patch appeared. She was also added to the base of Mitre and is considered generally known.
The problem is that Google does not have a single update mechanism, which would distribute it to all devices. Just something to add to the module Keyguard one line Length Limited (android: maxLength = »500″), but many manufacturers are supporting themselves and not in a hurry to produce because each new firmware bug. Therefore, still remains a significant number of vulnerable smartphones and tablets.
Since the module Keygard only works with passwords and other authentication methods (PIN / unlock pattern, face recognition, etc.) are not affected by this vulnerability . It also fixed in Android 5.1.1 build LMY48M and more recent builds.