All You Need To Hack Into An Android Phone Is A Seriously Long Passcode
Many Android users were enraged in mid-September when a flaw in Android’s fifth operating system Lollipop that enables people to easily bypass passcodes was discovered.
Although few Android users use passcodes to protect their phones, they are often billed as the most secure option as you can set long, intricate character strings that no one could possibly guess. However, it appears that anyone who wishes to pass your lock screen won’t need to guess your passcode at all.
John Gordon, a security analyst at the University of Texas’ Information Security Office in Austin, reported the hack to Google a few months ago before uploading a video to Youtube showing how the hack is accomplished.
It’s a little time-consuming, but overall quite simple. From the lock screen, tap and open ‘Emergency Call’, then type some characters into the phone number field. Repeatedly copy and paste the character string until it is thousands of characters long, Gordon’s string was close to 50,000 characters, but the longer you make it the more effective it will be. Open the camera app and prompt the phone to request a password, then paste the character string you’ve created a few times until the system crashes. This can take around five minutes, but once it does crash the phone should go straight to the home screen.
Google has acknowledged that the hack could allow users to ‘view contact data, phone logs, SMS messages, and other data that is normally protected’ but said the problem would only have ‘moderate severity’. After all, it does require hackers to have physical access to the device, unlike remote access attacks like Stagefright.
Gordon found the vulnerability whilst on a long East Texas road trip, and quickly notified Google. “I’m sitting in the passenger seat, bored, with no signal on my phone, so I start poking around and seeing what unexpected behavior I can cause,” Gordon explains. “A few idle hours of tapping every conceivable combination of elements on the screen can do wonders for finding bugs.
“My concern when I found this…was thinking about a malicious state actor or someone else with temporary access to your phone. If, say, you give your phone to a TSA agent during extended screening, they could take something from it or plant something on it without you knowing.”
Gordon continued to suggest that users who gain access to Android devices could go as far as to install malicious software if they enable developer mode.
Google has since released a patch to combat the flaw, which is available on their own line of Nexus models, but Gordon suggests that some Android phones from brands such as Samsung and LG may still be vulnerable. You can blame Android’s slow updating system, which is dependent on phone manufacturers and cell phone network carriers, for that.
Until the vulnerability is successfully patched across all devices, we suggest you install all available security updates, switch from a passcode lock to an unlock pattern or PIN, and of course: keep an eye on your device at all times.