Android Lollipop lockscreen bypassed even with password

Android users take note. If you thought that only iOS had problems with lockscreen bypass exploits, better think again. Then again, given how much flak Android's security is getting lately, that might not come as a shock. This latest vulnerability allows anyone with physical access so a device running Android 5.0 or 5.1 to get through the lockscreen and gain access to the device's secrets, mostly through and ADB connection to a computer. And this even if the device's lockscreen is itself protected by a password.

The bug, which is security bulletin CVE-2015-3860 is almost easy enough to reproduce on your own, if you have the patience or the device. You also need to have your lockscreen set to be unlocked by a password. Then comes the steps that you can find in the source link below, which involves repeatedly copying asterisks to insane lengths and crashing the lockscreen by pasting that extra long string of stars into the password field.

Or if you're too impatient, the video below proves the exploit as well.

Once the hacker gets access through ADB, everything is fair game. That would be especially be troublesome for those who have enable root access on the device, which turns their devices into open books for thieves.

There are two major caveats to this exploit, however, that mitigate its severity. First, it works only if unlocking the device is set to use a password. It doesn't seem to work with a PIN or pattern, which, almost ironically, makes these two more secure measures than they usually are. The second is that the intruder must have physical access to device in the first place. When that happens, however, things have pretty much gone south anyway. A minor consideration is that it only affects Android Lollipop devices, which already take up more than 20 percent of the market.

The vulnerability, which has been marked as moderate severity, has been reported already to Google and is now in the hands of Android's private security team. All that's left is to wait a month for the regular security update. At least for those on Nexus devices. Others, sadly, will have to wait much longer.

VIA: UT Austin Information Security Office