A security flaw allowing brief – but potentially dangerous – access to the Samsung Galaxy Note II‘s homescreen, even if the phablet has been locked, has been identified, again raising questions about the company’s security policies. The not-quite-a-hack, identified by security researcher Terence Eden, requires nothing more than a few well-timed button presses, and potentially gives – brief – access to whatever apps, widgets, and direct-dial shortcuts are saved on the homescreen.
The exploit relies on the fact that, when certain buttons are pressed in sequence, the Note II’s homescreen flashes up. That happens no matter whether the phone has been locked with a PIN, pattern lock, password, or Android Face Unlock, and indeed Eden says third-party launchers and lock screens can’t prevent it.
In short, hitting Emergency Call on the homescreen, and then pressing the bottom left “ICE” button, followed by holding down the home button, will prompt the homescreen to show for a short period. What access an attacker might then have depends on what widgets and shortcuts the device’s owner has placed on the homescreen itself: if they’re triggers to call people, for instance, then if tapped before the screen locks again, the call will still go through.
Alternatively, other apps will begin running in the background if tapped in time, or an attacker could simply read through whatever information was being currently shown in a widget. That might be a few recent email inbox entries, or details of the upcoming calendar.
Eden says he alerted Samsung of the exploit’s existence – which he has tested on the UK version of the Galaxy Note II N7100 – several days ago, and yet despite being assured by people close to the company that it had been internally noted, no public response has been given. In the meantime, he recommends removing any homescreen shortcuts that might either cost money if triggered, or give access to sensitive data.