Google recently issued a
patch for Nexus mobile devices to fix an Android Lollipop vulnerability that
lets hackers bypass the lock screen and gain control of mobile devices.
However, it could take weeks to months for manufacturers and
service providers to roll out the patch for other Android devices.
University of
Texas security
researcher John Gordon discovered the vulnerability, dubbed
"CVE-2015-3860," and posted details and a video showing the how the lock
screen is bypassed on a Nexus device.
Hacker
Scenario
The lock screen vulnerability affects only
devices that have an active password lock securing the phone. That type of lock
exposes a text field to accept data entry.
Other locking methods, such as pattern or PIN
locks, do not provide a text field. The hack needs text pasted into that field
to crash the lock screen.
Gordon found that entering a long string of text
into the password field while the camera app was active would cause the phone
to crash. When that happened, the hacker could gain access to the device's home
screen without having to input a correct password.
Gordon was not definitive on how widespread the
vulnerability might be, but he referred to reports noncredit and YouTube
saying that the copy/paste functionality was missing on non-stock phones.
"It may still be possible to insert a large
number of characters manually or with the help of a USB / Bluetooth
peripheral," Gordon said. "At least one YouTube comment suggested
success on a Sony Xperia Z3, but I have only tested it on Nexus devices."
Other OEMs use modified lock screens and camera
apps that apparently do not permit exploitation of the vulnerability.
However, lock screen security in general is
iffy, suggested Lysa Myers, a researcher for Este.
"Lock screen vulnerabilities happen on all
mobile operating platforms," she told Linux Insider.
Indirect
Patch Process
How great is the risk for non-Nexus Android
device users?
"This is a major threat. Even when users feel
confident about locking their phone with a strong password, if their device is
exposed to this exploit, it does not really matter how strong the password
is," said Armando Leon, director of mobile at Launch Key.
The main issue of Android lies in the lack of
uniformity in software and security updates. Even when Google already released
the fix, it comes down to manufacturers such as Samsung, Motorola, LG, HTC,
among others, to patch their devices that still have that exploit, he told Linux
Insider.
"Afterwards, it depends on the carrier when
carrier-specific devices need to be updated. Overall, it could take many months
for most users to receive the patches. Some unlocked phones that are not really
tied up to a carrier could get the patches fairly soon, but even that might
take a few weeks. The worst part is that some devices might never receive the
security update," Leon said.
What
Could Happen
Hackers can gain full control of a phone or
tablet by exploiting this vulnerability. That can result in loss of personal
data, as well as huge inconvenience.
"This is an interesting but difficult
attack to carry out with any scale," noted Cameron Camp, a researcher with
Este.
"There are few examples to point to in the
wild right now, as it would take a dedicated attacker with a specific target
phone of a specific version, and then the attacker would have to spend some
uninterrupted time with the device," he told Linux Insider.
That said, the consequences for the user who is
targeted could be major, said Launch Key’s Leon. A hacker who managed to obtain
an unpatched device could bypass the lock screen altogether, thus gaining
access to all of the data on the device -- including applications, contacts,
emails, text messages, photos, etc.
Prevention
Beats Cure
Mobile device users should take three critical
steps to protect themselves against the vulnerability, said Xu Xin, chief
mobile security expert at 360 Total Security.
They should keep systems updated with the latest
version. They should install antivirus software and keep the virus database
updated in real time, periodically scanning their mobile phone. Also, they should
close the USB debugging function, he told Linux Insider.
Do not stop there, suggested Leon. Users need to
find out if their version is affected by going into the Settings screen's About
section.
"If the version matches 5.0 up to 5.1.1 on
a non-Nexus device, then they are probably vulnerable. If unsure, they need to
check with the manufacturer or carrier to see if a recent patch fixed it, or if
there is one coming down the line," he said, noting that the most
immediate way to protect themselves is by switching from a password to a PIN or
pattern-based lock screen.
No comments:
Post a Comment