back to article Android 5 lock-screens can be bypassed by typing in a reeeeally long password. In 2015

If you've got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it's best to use a PIN or pattern to secure your lock-screen – because there's a trivial bypass for its password protection. The vulnerability, details of which were published here by University of Texas researchers on Tuesday, …

  1. Spender

    And nobody considered...

    ...a lock screen that crashes to the home screen might not be the best of architectures?

    1. Crazy Operations Guy Silver badge

      Re: And nobody considered...

      Seriously... Sensitive security processes like that should take the kernel with it if it crashes and force the device to reboot. Any time a process like that crashes, then it should be assumed that the whole OS is compromised. Besides, a buffer overflow like this could be used as a handy code-injection method, especially since it'd be running under root and all...

      Even NT4 would do that (if lsass.exe crashed, the system would immediately bluescreen)

      1. PJF
        Pint

        Re: And nobody considered...

        So, entering a 16 digit (O.K. maybe 24, or 32 at most) string of random characters will crash the OS, then it awards you with a SU!

        BRILLIANT!

        Thanks, I'll have another Guinness!

        1. misterinformed
          Pint

          Re: And nobody considered...

          It took a lot more than 32 characters - in the video, copy & paste are used to repeatedly double the password length. It starts with 10 characters, then gets doubled 10 times in the dialler, (an eleventh attempt is abandoned - it isn't copied), which makes 10240 characters. Then this is pasted four times into the password entry field, so the total is 40960 characters. I expect someone even more pedantic than me will correct me if I've miscounted.

          Obviously it's stupid to allow entry of so many characters, so I'll join you on the Guinness.

          1. Anonymous Coward
            Anonymous Coward

            Re: And nobody considered...

            I'm not telling you my password but I'll give you a clue ... it about 20,000 words long and its the Apple T&Cs... after the UK's GCHQ said to use more nemonic passwords, i opted for that one.

    2. Anonymous Coward
      Anonymous Coward

      Re: And nobody considered...

      Not even apple, which have had about 10 or so similar issues.... I guess windows phone would too, if it wasn't so crippled and actually had some users...

      1. klaxhu

        Re: And nobody considered...

        security issues happen, it's about how you handle it, not about its excistence

        the only difference being, apple fixed it in 1-2 days with an update, where as android needs months to bring all their users to that update via the carriers who hold back on them.

        isn't it fun to own an android device :D

        1. sabroni Silver badge

          Re: where as android needs months to bring all their users to that update

          Most Android users don't get security patches however long they wait.

          1. Steve Evans

            Re: where as android needs months to bring all their users to that update

            Unfortunately Google gave other manufacturers a nice phone OS to use for free, with very little tie in... In hindsight it might have been better to have a little more control, such as enforcing timely upgrades for at least a couple of years after a phone model stops being sold. They didn't, and Android as a whole cops the bad press, when the delay is with the OEMs.

            But that's hindsight for you... Reality is get a Nexus, and get updates, or go to HTC/LG/Samsung etc, and hope.

          2. TonyJ Silver badge

            Re: where as android needs months to bring all their users to that update

            "...Most Android users don't get security patches however long they wait...."

            Beat me to it. Samsung Galaxy Note 3 with 5.0 shoehorned onto it. As much as Apple can be castigated for, they do at least push out updates in a timely fashion.

            It's time Google did the same for the underlying OS. Indeed, isn't it time we all had a simple, centralised, way to put a bare-bones OS on?

            I've had both iPhones in the past an now Android - luckily I am a light-weight user so can hop between pretty much anything I fancy as long as it covers very basic bases.

            1. JLV Silver badge

              Re: where as android needs months to bring all their users to that update

              >It's time Google did the same for the underlying OS

              Why blame Google for the shortcomings of your phone manufacturer? I think the poster who recommended getting a Nexus nailed it, at least for Android. Time to vote with your wallet and abandon manufacturers who can't be bothered to issue patches in due time. Or get cyanogen phones if the manufacturers commit to patching quickly.

              Much as Google deserves some criticism, seems they can't win. If they are pushy, then they are Apple-bad control freaks. If they allow the vendors too much leeway, then it's their fault, not Samsung's (just to take an example).

              For the techies at least, it seems obvious that having a non-patching vendor is not a good thing. Buy somewhere else, don't throw money at the lazybone patch-by-buying-new-phone vendors.

    3. Yamas
      FAIL

      Re: And nobody considered...

      It seems the lock screen is just like any other apps, prolly not even running at root level, so when it fails (crashes) control is [naturally] handed back to OS in it default state (home screen), just like any android apps. What a fail!

      1. Sarah Balfour
        FAIL

        Re: And nobody considered...

        PROBABLY. The word is PROBABLY, you semi-literate, ill-educated, fucktard! Have a 'FAIL' icon yerself!

        1. Michael Wojcik Silver badge

          Re: And nobody considered...

          The word is PROBABLY, you semi-literate, ill-educated, fucktard!

          Shibboleth rant of the day!

          (Personally, I'm happy to overlook "prolly" as a stylistic fillip. It's the homophone errors - its/it's, of/have, etc - that generally irk me. But I do enjoy the occasional usage flame regardless.)

    4. Voland's right hand Silver badge

      Re: And nobody considered...

      Read the thread, I read it and I want to know what these guys are smoking.

      It is first classified LOW severity, then upgraded to "MODERATE". Full authentication bypass as "MODERATE". If that is MODERATE, I want to know WTF is high.

      1. Anonymous Coward
        Anonymous Coward

        Re: And nobody considered...

        "I want to know WTF is high"

        The programmer who writes this code!

    5. Vendicar Decarian1

      Re: And nobody considered...

      Well, it is a buffer overflow error, and as all C programmers know, the solution to a buffer overflow error is to make the buffer bigger.

  2. Steven Raith

    Disable copy/paste on the lockscreen

    .....and restrict the entry length of text/passphrases to something like 128 characters.

    Job jobbed, surely?

    1. twilkins

      Re: Disable copy/paste on the lockscreen

      But everyone knows that longerer passwords are betterer!

      1. DropBear Silver badge
        Joke

        Re: Disable copy/paste on the lockscreen

        Please stop perverting the language and use the grammatically correct form: "moar betterer"!

    2. Vendicar Decarian1

      Re: Disable copy/paste on the lockscreen

      How about the fucktard C, C++, etc, programmers learn to check the god damn end of buffer before they write a character to it?

      K&R should be burning in hell for their stupidity.

      1. Michael Wojcik Silver badge

        Re: Disable copy/paste on the lockscreen

        K&R should be burning in hell for their stupidity.

        Well. You make Poul-Henning Kamp seem the very soul of reason by comparison.

  3. Kevin McMurtrie Silver badge

    And the music player

    At least in CM12.1, you can crash the lock screen if a song is playing. Just hammer all of the mini player's buttons as fast as you can until the OOM killer makes a visit or things start to crash.

  4. gollux

    Is this what's known in the security industry as a butthead overflow?

  5. Anonymous Coward
    WTF?

    Do remember that the camera app needs to be active. Which happens here zero percent of the time. Here. What is it about buffer overflow that makes it the WTF for pretty much every OS, program or device flaw of the universe attractive?

    I can't grok this. I wasn't this stupid in the '70's.

    1. Dan 55 Silver badge

      If you swipe from the right side of the screen to the centre while the lock screen is visible then you open the camera app... Press the power button twice to return to the lock screen and the chances are it's still running in the background.

      1. Anonymous Coward
        Anonymous Coward

        That doesn't happen here but the default on this LG is to activate the camera, while locked,press volume up & down, that does it. Or it used to. I whacked that setting while I went spelunking after the vulnerability was announced.

        I haven't rooted it yet. I really should since more than a few paid applications need it. Right now I'm just playing with it as is. Pretty nice tablet actually.

    2. jzl

      Buffer overflow

      Buffer overflows are *the* reason why use of C or C++ for anything remotely security-sensitive should be punished by whipping.

      And yes, I know that "correct" use of safe strings mitigates it. But that approach relies on programmers always doing the right thing. Which, as human beings, they are unlikely to do.

      1. Dan 55 Silver badge

        Re: Buffer overflow

        It's fucking Google, they can afford a code review or two.

        They can also afford to sit down and think of an update mechanism for Android N that actually works.

        1. jzl

          Re: Buffer overflow

          Indeed, they can afford a code review or two. And they have a code review process.

          And still there are buffer overflows. Which just reinforces my point - if even Google can't avoid shooting themselves in the foot with C (++), what does that say about the language?

          C / C++ should be taken out back and shot. It's time to stop using them.

          1. Phil O'Sophical Silver badge

            Re: Buffer overflow

            C / C++ should be taken out back and shot. It's time to stop using them.

            You can write crap code in any language. C/C++ are no worse than any other if used competently.

          2. Dan 55 Silver badge
            FAIL

            Re: Buffer overflow

            I don't know what language you're competent in, but check the diff first before posting the usual "C/C++ is the root of all evil" kneejerk reaction...

            https://android.googlesource.com/platform/frameworks/base/+/8fba7e6931245a17215e0e740e78b45f6b66d590

            By the way, it's a pretty shoddy framework that takes "no limit" to mean "shit all over the memory if it's too long".

            1. Anonymous Coward
              Anonymous Coward

              Re: Buffer overflow

              "check the diff first "

              I decided to, and noticed the date: Tue Jul 21 13:27:22 2015 -0700

              So Google have kept hush about this while knowing about it for a couple of months. I wonder if they have put any effort at all into getting older devices patched. i.e. did they tell their hardware partners about it?

        2. TonyJ Silver badge
          Joke

          Re: Buffer overflow

          It's fucking Google, they can afford a code review or two.

          They can also afford to sit down and think of an update mechanism for Android N that actually works.

          But...but....everyone knows that the chocolatey company hires the best talent that individually know more than everyone else combined, ever! I mean...look at their recruiting video...what was it called now...? Had Vince somebody in...The Internship or something? </sarcasm>

      2. dajames Silver badge

        Re: Buffer overflow

        Buffer overflows are *the* reason why use of C or C++ for anything remotely security-sensitive should be punished by whipping.

        It's certainly far too easy to overflow a buffer in C, and I'd support your whipping motion there.

        Don't lump C++ in with C here, though. In C++, when it it used properly, string handling is performed at a higher level that absolves the programmer from any direct manipulation of data buffers and eliminates the possibility of a buffer overflow.

        Unfortunately, there are a lot of bad C++ programmers who still think in C.

        1. Tromos

          Re: Buffer overflow

          "It's certainly far too easy to overflow a buffer in C"

          Which is why competent C programmers didn't allow it to happen.

          "Unfortunately, there are a lot of bad C++ programmers who still think in C."

          No, there are just a lot of bad C++ programmers. Those good ones who still think in C wouldn't touch ++ with a bargepole.

      3. StevenN

        Re: Buffer overflow

        As this bug demonstrates, buffer overflows are not restricted to C and C++.

    3. Dr. Ellen
      FAIL

      Great Turing's Ghost!

      This has been around forever. In the 1960s a CDC 3100 locked up on me. A long, steaming batch of profanity on the console typewriter brought it back to life.

    4. Vic

      What is it about buffer overflow that makes it the WTF for pretty much every OS

      Back when everyone was coding in C, we all knew about buffer overflows. YOu got slapped for writing code that was susceptible to it.

      Now, of course, everyone uses more "modern" languages that aren't susceptible to such things. Except, of course that they are - the overflow merely manifests itself in a different manner. But by convincing the newcomer programmers that they don't have to worry about buffer writes by virtue of the language they're using, we have created a large problem where previously it was tiny...

      TL;DR: Complacency kills.

      Vic.

    5. Voland's right hand Silver badge

      Camera can be activated with the screen locked

      The camera can be activated with the screen locked. At least on Sony. Dunno about Nexus and other recent Android smartphones.

  6. Bota

    Not on a Samsung S4

    I'm running 5.0.1 and it limits my characters for password input. If you just pound at the keyboard it'll only allow a max of 12 characters, not sure why but that's me. The copy and paste attempt doesn't crash my phone so I don't know if touchwiz has been set up slighty differently?

    1. Bc1609

      Re: Not on a Samsung S4

      I've just tried this on my Note 3, and it doesn't work there either. I don't have the background camera app enabled by default but I turned it on for this and it made no difference, so I assume that Samsung have (presumably inadvertently) fixed this bug during their Touchwiz-ification process. Just as well, really, as it's unlikely Samsung would issue a fix.

      Could other Reg readers with different varieties of mudblood Android give it a go and let us know how it works? From his bug report I suspect that it might only work on pure Android devices, which are of course the most likely to be patched.

      1. Bota

        Re: Not on a Samsung S4

        Initiative worthy of a beer! I'd be interested to know what devices are vulnerable, the one time I'm not regretful for Samsung bloat.

    2. Alistair Silver badge
      Coat

      Re: Not on a Samsung S4

      Samsung SIIx(t989) - CM 5.1.1 (Tesla kit) - not affected

      a) no cut and paste on the password screen so my numbers are ..... rough - but at ~36k characters with camera running it did not crap out - that took 11 minutes with 'faked' bluetooth keyboard device to generate the string

      b) interestingly - from the logs, CM *might* be throwing the characters after the 257th is typed, will try again later with more time on my hands and an improvement to the fake keyboard script.

  7. jzl

    The scary thing

    Isn't that this vulnerability exists, but that for most Android users it will never be patched. The Android project needs to spend some quality time fixing its update system. Apple have managed it, so why can't Google?

  8. Tom 7 Silver badge

    What they need to do is model their language on an a world class object oriented language.

    This should be the get-out from Oracles stupid API case!

    Unless java does this shit too!

  9. Alan Denman

    3 charactets work too!

    NSA.

  10. Anonymous South African Coward Silver badge

    You'll need access to the physical device, obviously. And enough time to type/paste in that long string.

    But any ne'er-do-well will have all the time in the world once your device's been blagged...

    I'm using PIN's on all my devices. Wonder if these are also susceptible to these kinds of shenanigans and ne'er-do-well tomfoolery?

    Bleh.

  11. Jonathon Desmond

    Not on a Galaxy Note 4 (I think!)

    Similar to other Samsung users above, I just checked on my up-to-date Note 4. Looks to me as though the emergency dialler has no paste feature, and the number of digits you can type is limited.

    1. Simon Harris Silver badge

      Re: Not on a Galaxy Note 4 (I think!)

      Similar for my Sony SP (Android 4.3, and they're not updating it) - doesn't seem to be any copy/paste on the emergency screen - I'm not sure it limits how many digits you can type though, I gave up at 100.

  12. Alan Denman

    Left my phone alone only for one hour and...

    there was 989 chacters typed in it.

    Ill think twice about my tech free holiday now!

  13. Sgt_Oddball Silver badge

    Xperia z3...

    No copy and paste, not even dots to let you know how many characters, plus it kills the camera when you switch to unlock (I checked) but then I am 5.1.1 and Sony seems to be trying to keep phones updated and patched as even my old xperia z is on 5.1.1 these days.

  14. Captain DaFt

    Big tech needs more idiots in testing.

    No, really.

    After the latest improvements to an OS or program have been tested and approved, it should be installed on devices and handed off to a crew of the most tech clueless people they can find, and let them use it.

    Guaranteed they'll uncover all sorts of flaws like this, because they'll be trying to use it the way they want/believe it works, and not "the way it's designed to" that in house testers familiar with the process usually test it.

  15. artbristol

    Is this accurately described as a buffer overflow?

    Not trying to downplay the severity of this, but is it actually a C-style memory-corruption buffer overflow?

    The patch to fix it just adds a maxLength to an XML file describing a screen layout. Maybe the lock screen just runs out of memory and is killed. There are plenty of badly written webapps that would crash if you put too long a string into an input field, but you're not exploiting a buffer overflow by doing that.

  16. Sarah Balfour

    Slightly off-topic

    but I have an app that allows you to choose between three password types

    Standard

    Shapes

    Colours

    Shapes and colours can also be mixed (so you could have red triangle, green square, blue hexagon, pink flower, orange sun for example)

    Now, I'm autistic and I find random character strings (or even words partially composed of letter-esque symbols) almost impossible to memorise, which is why many of my passwords are identical (not exactly the safest person on Earth).

    I do, however, find colours and shapes easy and I'm sure I can't be alone in this. I just don't understand WHY after so many years companies still require people to use traditional alphanumeric passwords…?

    Show me a string of 8 (for example) random characters and ask me to recall them say 30m-1hr - or longer - later, and I'd struggle; show me a string of 8 colours, 8 shapes or 8 coloured shapes, and I'd have very little difficulty. I struggle to recall words, my mind is very visual; I can recall faces, or what someone was wearing the last time I saw them, but names…?! Forget it. Same with LPs. Unless it's a band I know intimately, I recall LPs by the art's main colour or image, rather than its name, which is difficult when some (New Order spring instantly to mind) dispense with art altogether. Least with NO it wasn't on every release!

    1. Swarthy Silver badge

      Re: Slightly off-topic

      I will have to find that app. Start my kids (one is per-literate) on proper security early.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019