Android vulnerability makes your password worthless

Don't rely on this. Photo: Killian Bell/Cult of Android

Don’t rely on this. Photo: Killian Bell/Cult of Android

Securing your devices with a password prevents other people from gaining access to your personal data, but thanks to yet another vulnerability in Android, you can no longer rely on that.

Researchers have discovered a new method of unlocking protected smartphones and tablets running Android 5.0 Lollipop and above without entering their passwords.

“A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device,” explain the researchers at The University of Texas at Austin.

“By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen.”

Following this crash, the attacker is able to run apps installed on the Android device, and any data stored on it, including photos, messages, contacts, calendars, and emails. The attacker can also gain ADB access, which would allow them to unlock the handset’s bootloader and more.

The attack is demonstrated in the video below.

As you can see, it’s incredibly easy to bypass Lollipop’s lock screen security and gain full access to the device. Google has fixed this issue in its most recent “LMY48M” release of Android 5.1.1, but of course, it will take months for its hardware partners to make the fix available to users.

The good news is, an attacker needs physical access to your device to perform this trick, so it’s not a hack that can be done remotely. As your device isn’t lost or stolen, then, your data should be safe. You can also use PIN or pattern lock methods, which aren’t susceptible to this attack.