Android 5 bug allows attackers to easily unlock password-protected devices

If you own a mobile device running any Android 5 version but the very last (v5.1.1) and you use a password to lock your device, you will want to update your OS or switch to a PIN or a pattern-based lockscreen.

Details about a lockscreen bypass vulnerability (CVE-2015-3860) that can be very easily exploited have been made public by the UT Austin Information Security Office (ISO).

“By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein,” John Vernon Gordon III, a Senior Network Security Analyst at the UT ISO, explained and demonstrated the attack:


Of course, the attacker needs to have physical access to your device in order to execute the attack.

Google has been notified of the flaw when it was discovered, and has fixed it in Android 5.1.1 build LMY48M pushed out a week ago.

The problem of other OEMs and device makers shipping patches with great delay is not so grave in this particular case, as users can simply change their password into a PIN or pattern to be safe from such an attack.

Share this
You are reading

Android 5 bug allows attackers to easily unlock password-protected devices