Friday, March 22, 2013

Samsung Security Flaw - How to Disable Lockscreen

This is very strange that while flagships appear with much fanfare, they have trails of flaws overlooked by designers and software engineers that can be compromised by tech geeks outside their secret enclosed walls.
I just now came across Terence Eden Blog and here a procedure is outlined as to how one can disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing.

Even if you are unable to download a screen unlocker, this security vulnerability still allows you to dial any phone number and run any app!

Here is 'HOWTO'
  • From the lock screen, hit the emergency call button.
  • Dial a non-existent emergency services number - e.g. 0.
  • Press the green dial icon.
  • Dismiss the error message.
  • Press the phone's back button.
  • The app's screen will be briefly displayed.
  • This is just about long enough to interact with the app.
  • Using this, you can run and interact with any app / widget / settings menu.
  • You can also use this to launch the dialler.
  • From there, you can dial any phone number (one digit at a time) and place a phone call.
  • With Google Play, you can search for apps using the voice interface.
  • You can download apps from the app store which will disable the screen lock.

Writer's note:
This does not occur on stock Android from Google. This flaw only seems to be present on Samsung's version of Android. I have only tested it on a Galaxy Note II running 4.1.2 - I believe it should work on Samsung Galaxy SIII. It may work on other devices from Samsung. 
My test phone was running 4.1.2 with the Touchwiz launcher from Samsung.
Defending Against This Attack

Until Samsung release a patch, the only way this can be defended against is by completely removing the Samsung firmware and replacing it with a 3rd party ROM.
This ROM for the Galaxy S III claims to have fixed the problem.
I'm sure there will be ROMs for other Galaxy devices in due course.

UPDATE 2013-03-20T16:54:12+00:00

YouTube user "bicecream88" has alerted me to a way to partially defend against this attack.
By disabling your screen animations, it is possible to reduce the amount of time the screen is displayed.

Settings -> Developer Options -> Window animation scale -> off

Repeat for Transition animation scale and Animator duration scale.

The vulnerability is still present - but you need to be a lot quicker in order to exploit it.

Note: The procedure above is as given by Terence Eden and Silicon Buzzard is not responsible for any damage to the device/software during the process. If you have any queries/question, you may contact Terence Eden


We are also on Facebook

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More