back to article Thought your Android phone was locked? THINK AGAIN

Android has taken another step to cement its place behind Java in the world of repeatedly-vulnerable software, with German group Curesec discovering that an attacker can get past users' PINs to unlock the phone. In fact, the Curesec post states, the bug – present in Android 4.0 to 4.3 but not 4.4 – exposes any locking …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Facepalm

    FTFA - "Curesec says it decided to go public after the Android Security Team stopped responding to its e-mails about the issue"

    What would you expect? The first thing the hackers did after pwning the Android Security Team's phone passwords was to pwn their email passwords.

    D'uh!

    1. Anonymous Coward
      Anonymous Coward

      Linux + Java = security nightmares!

      1. Anonymous Coward
        Anonymous Coward

        I've just searched through my Linux servers, x86 x64 and ARM and I can't find "com.android.settings" on any of them.

        So please explain your statement to me? Or are you just posting utter bollocks?

        1. Graham Dawson Silver badge

          Of course it's utter bollocks. I've seen this same anon on any article about linux, either posting obnoxious twattery claiming that linux has some number of orders of magnitude more security holes than windows (which is apparently so secure that the NSA cries its collective self to sleep at night worrying about to crack it) or just claiming flat out that linux is insecure because... well they never actually say why.

          And it is always the same anon. You can tell by the writing style and the copy-pasting of bullshit statistics.

        2. Ben Tasker

          In all fairness to AC

          x + Java = security nightmare

          Where x could be Linux, Windows, Mac, a Jam sandwich.

          If Java is involved, you can expect a security nightmare.

          Not that I condone trolling of course, especially when the poster doesn't have the balls to at least post under their own name

          1. This post has been deleted by its author

            1. VinceH

              Re: @Ben Tasker

              "You show me a jam sandwich combined with a nice cup of java that survives long enough to display nightmares of the security kind."

              Someone could drug that cup of java. That's your security risk, right there.

              1. James O'Brien

                Re: @VinceH

                I would have to agree with you on the drugged Java. I personally drink tea now a days but waking up with a sore bum after drinking that Java would suuuuuuuuck.

                1. Danny 14

                  Re: @VinceH

                  Linux (probably, I dont know enough about the linux underworld hacking collective) has neither many security holes nor gaping zero day issues.

                  What is does have is swathes of people installing linux and making changes they dont understand. This in turn will make linux insecure. It isnt linux fault that it will let you swiss cheese itself enough to let attackers in, it is the admins fault for not understanding what they are doing (or opening up).

      2. Chemist

        "Linux + Java = security nightmares!"

        Suggest you pop over to the "Patch Tuesday" item - your special skills are needed to explain that !

        1. Anonymous Coward
          Anonymous Coward

          "Suggest you pop over to the "Patch Tuesday" item - your special skills are needed to explain that !"

          But Windows has far fewer vulnerabilities than enterprise Linux distributions. Which presumably is part of the point being made above.

          1. Anonymous Coward
            Anonymous Coward

            But Windows has far fewer vulnerabilities than enterprise Linux distributions. Which presumably is part of the point being made above.

            That's because they're comparing Windows - out of the box, which is capable of sweet f*ck all - with a Linux distribution that has everything such as application, mail and database servers included. Now go and compare the vulnerabilities in Windows + IIS + .Net + Exchange + SQL Server to a typical Linux enterprise distribution, as well as looking at how piss poor MS are at producing timely fixes (or even ones that don't bork something else).

            1. ElNumbre
              Stop

              @Chris

              Except all Linux engineers worth their salt only install a bare minimum system to start with and then add the packages afterwards that are required to perform the functions they need.

              Anyone who installs X and OpenOffice by default on a server needs to be taken out and publicly flogged.

      3. Anonymous Coward
        Anonymous Coward

        Linux + Java = security nightmares!

        Cut it out, Steve.

        By the way, didn't you retire?

    2. Anonymous Coward
      Anonymous Coward

      Reaction to this story,

      A rather large long and loud sigh and a muttering of 'not again'.

      1. Anonymous Coward
        Anonymous Coward

        No

        Not affected,,,, and usual FUD was my response.

  2. Andrew Jones 2

    So explain to me.....

    If an attacker wants access to my phone - how exactly do they bypass the lockscreen to install the app that will execute code to bypass the lockscreen?

    If it is a remote hack - as in the code is included in some popular app that people install, well they don't need to bypass the lockscreen once they have the code on the phone?

    1. Ben Tasker

      Yup, given you need to get the user to install something first, almost seems easier to create a 'game' that asks for every permission possible and just grabs as much as possible remotely, that way you don't need to go through the hassle of physical access (though you lose some of the benefits).

      1. Stacy
        Unhappy

        And the worst thing is...

        Lots and lots of people would still install it without question...

        And then the ones that know me will call to ask me to look at their phone...

        1. HollyHopDrive

          Re: And the worst thing is...

          Yes, correct, but if it has all the permissions why would it bother with the unlock screen 'hack', it would just push all the data over the data connection without you ever knowing. Having to have access to the device would be a bit of a ball ache.

          So flaw yes, massive problem no.

  3. Paul Shirley

    they got a respnse?

    "decided to go public after the Android Security Team stopped responding to its e-mails about the issue"

    WTF!

    That implies they managed to get a response from the team. Highly unusual from any Google offshoot, it's not the Google way.

  4. Anonymous Coward
    Anonymous Coward

    Raymond Chen

    As Raymond would say, 'That rather relies on us being on the other side of that airtight hatchway' ...

    If the black hat has already managed to get sufficient elevated privileges on the device to execute this exploit, isn't the game already over and the device already owned?

    1. Danny 14

      Re: Raymond Chen

      Indeed. And if it is already locked and the malware removes the lock then surely the exploit is running as a service anyway so can do what it likes without having to unlock.

  5. Anonymous Coward
    Anonymous Coward

    That sound you hear is Oracle's lawyers

    discussing whether it's worth another go at suing Google for copying from Java

  6. Badvok

    So let's get this straight: There is a little bug in the android code base (nothing to do with Linux or Java) that lets an application that is already installed and running on the phone disable the lock screen without it having to ask for that level of control when it was installed - Wow, just ... Wow that is an amazing vulnerability.

    1. TKW

      The anonymous replies seem to miss the point. Other platforms have had a spate of bugs which allow anyone to pick up a handset and bypass the lock screen, giving them somewhere between "full" and "pretty substantial" access to the device with no prior access or action required.

      This flaw requires an attacker to persuade a user to install software and then, later, physically access the device and take advantage of the lock-screen bypass software they've installed. Doesn't seem in quite the same class to me?? As others have said, if you're in a position to be able to persuade the target to install software you could just persuade them to install software to access the data / feature you're interested in and forget about having to physically retrieve the handset later.

      I'm not sure it counts as Raymond's airtight hatchway because it sounds like a local privilege escalation.

    2. Danny 14

      Whilst it is a vulnerability, it is one with limited use.

      What use would it actually be? If you knew the admin password to a PC what use would an app be to reset a users password when they were logged in?

      I suppose if that app could be triggered remotely then a person with physical access to the phone could send a "signal" to an app installed on the phone to unlock on command. That needs more permissions so you might aswell simply raid the phone remotely for whatever you need. If the phone is remotely locked by the real owner AND the malware installed then it will still need to be triggered somehow. I suppose a service that "unlocks" *only* if it is "remotely locked" might be useful but highly untargetable.

      Another aspect is that com.android tree can be re-written on carrier specific devices. Whilst this might be a vulnerability on a a vanilla device, some other manufacturer that has added something different (HTC one with fingerprint scanner?) may handle locks differently anyway.

  7. Anonymous Coward
    Anonymous Coward

    Wow. The apologists are out in force! Some of the pithy comments you left on iOS vuln stories really are biting you in the ass now! Schadenfreude is not a very nice thing, but it sure does feel good!

    1. Anonymous Coward
      Anonymous Coward

      What a bunch of hypocrites you Fandroids are!

      1. Anonymous Coward
        Anonymous Coward

        They're not hypocrites!

        Don't mistake this for a "Real World Vulnerability". This is just the ability to disable the lock screen. How could that possibly be exploited in the Real World?

        (Unless it was on a Windows phone (eww! Boo! hiss!! etc...) in which case this would be yet another example of MS's inability to write code properly....)

        1. Intractable Potsherd

          Re: They're not hypocrites!

          Idiot AC is answering his own posts now!

          1. Anonymous Coward
            Anonymous Coward

            Re: Idiot AC is answering his own posts now!

            Yeah, that's the only possible conclusion.

            Unless, is it possible that it's one of the other users on here posting anonymously.....?

            No, surely all on here are loyal to Google except the one evil anonymous poster!

            1. Danny 14

              Re: Idiot AC is answering his own posts now!

              all fanboys are bad fanboys; all OSs will have bugs in them somewhere. It all comes down to testing and fixing. In an open source environment such as linux there is a larger chance of bugs being squashed before release.

              In closed android, apple, windows environments then the bugs have a higher chance of not being found.

  8. DaLo

    Is this a Real world vulnerability?

    Can anyone explain the steps that an 'attacker' would need to take to create make use of this vulnerability and then what damage they could do?

    Then think about any easier way to do that 'damage' without exploiting that vulnerability.

    1. Phil W

      Re: Is this a Real world vulnerability?

      The only real world situation where this applies is if an 'attacker' gets hold of your phone after you've unlocked it and before it locks again. Perhaps if you left it unlocked on the bar at a pub then left?

      But really, if you've left your phone unattended whether locked or not

      a) you'll be bloody lucky to ever see it again

      b) due to point a, whether someone has changed or remove your lock code/pattern is a minor concern.

      1. DaLo

        Re: Is this a Real world vulnerability?

        As the attacker has somehow managed to get hold of an unlocked phone before the screen timed out they can easily set the sleep and lock timeouts to 30 minutes and get any data they want off it.

        Once again a 'security flaw' that has no real-world implications.

        1. sabroni Silver badge

          Re: Is this a Real world vulnerability?

          From the article: As a result, any rogue app can at any time remove all existing locks.

          If this is true then you could have malware on your phone that I could trigger when I see you leave your phone unattended and disable the lock. But you don't think that's a "real world implication"?

          1. Phil W

            Re: Is this a Real world vulnerability?

            Yes it is, assuming such malware existed.

            However my original point a, stands. If you've left your phone unattended you're not likely to see it again.

            1. sabroni Silver badge

              Re: If you've left your phone unattended you're not likely to see it again.

              Depends whether I want to sell your phone or use it to impersonate you in an email or sms. If I'm trying to blag that I am you then stealing the phone will alert you that's something's afoot. Clearly there is limited but real potential for this to be exploited.

          2. DaLo

            Re: Is this a Real world vulnerability?

            If you've managed to put malware on the phone, why would you use one that requires you to follow the person around?

            You would just install something that allows remote access or just slurps and sends the data.

            If you are following someone around enough to be able to nab their phone whenever they aren't looking it would be trivial to film their pattern or pin being entered.

            Also you have to have someone who leaves their phone unattended, unlocked for long enough for you to take it and install an app without the person noticing.

            This is why there is no real world implication!

  9. Anonymous Coward
    Anonymous Coward

    Suprise!

    Why is it that when we see the word "exploit" or the phrase "security problems/issues", the article is always about Android?

    People need to give themselves a shake and stop using Google products!

    1. Anonymous Coward
      Anonymous Coward

      Re: Suprise!

      So what products do you use that are *magically* without any security problems?

      1. Anonymous Coward
        Anonymous Coward

        Re: Suprise!

        I would assume he/she uses Apple products, because that "I'm a Mac" guy told him/her they don't get viruses.

        1. Anonymous Coward
          Anonymous Coward

          Re: Suprise!

          Good grief, these multiple personalities don't half get confusing!

  10. scub

    bit random

    yeah, bit random, how about an app that lets you track your bus?

    eh?

    how about a button on the bus stop - let bus driver know somebody is up ahead waiting?

    eh? Huh?

    Good eh? that`ll save them tearing up the roads with all those empty buses- tear up the road banisterds!

    but i digress...

  11. bigtimehustler

    Errr, this is obviously a bug, but is it really that big of a deal? You have to install an application that has nefarious intent first and if you install such dodgy apps your already an idiot. But, even if this happens, a remote app removed your lock screen protection....to what end? They don't have your phone in their hands so why do they need to remove the lock protection? If they do have your phone in their hands and its unlocked, its already game over anyway, they can do anything they want with it. If they have it in their hands and its already locked, this does not help them get in so that being the primary function of a lock its not really broken.

  12. Craigie

    Pattern

    What about pattern? No mention of it that I saw.

  13. Anonymous Coward
    Anonymous Coward

    Kids these days

    One of the supposed virtues of Android is that it's "open", it's easy to sideload apps without going through a curated "app store", so I can imagine a situation where a kid codes an app and distributes it to his friends, and before you know it, he can unlock the phone of any one in his school, and half the phones of anyone under 18 in his city by Friday.

    Except that, apparently, kids today don't know how to program, and if they do, they're more likely to be hundreds of miles away from their friends, and can't get their hands on the phones anyway.

  14. ickis

    Think Outside The Box

    I think some readers are missing the potential dangers of this design flaw. On Android versions 4.0 through 4.3, any application, without requiring permission to do so, can reset any lock mechanism back to the default swipe method. Someone can write an app, not even a rogue app, and have it take advantage of this vulnerability. Think Code Red with Nimda (on the rogue side of things). How about an application, such as one touting encryption with SMS and may in fact do as advertised but also allows for a crafted text string to unlock the device? Should said app gain popularity, easily bypassing lock features could be possible. How about this same concept done without your knowledge like the backlash of carriers leaving debug mode enabled on CarrierIQ? Do people often disable USB debugging when they're often doing things like rooting and modding their devices? Not to mention how this could play into the BYOD movement. These are things to consider.

This topic is closed for new posts.

Other stories you might like