Security Market Segment LS
Friday, 18 September 2015 11:00

Android Lollipop long password vulnerability

By

Another Android Lollipop vulnerability allows you to enter a very long password – any password – at the lock screen and gain access.

Discovered by the University of Texas (full details here) in Austin, it affects only those users with smartphones running Google’s Android Lollipop using a password to protect their devices – pattern, fixed length pin, and fingerprint (biometrics) unlock are not affected.

From the locked screen, open the emergency dialler. The long text string can created there. It stalls the camera, revealing the password screen. Simply cut and paste the text several times and viola.

A user only needs to enter enough characters to overwhelm the lock screen – but there is a catch – the camera must be set to activate from the lock screen – as most do.

Google has released a patch for this but only for Nexus – it is up to smartphone manufacturers to release patches.

The Patch also covered other vulnerabilities – showing yet again that Android users need to keep up to date and run anti-virus and malware protection.

Title

CVE

Severity

Active Exploitation

Remote Code Execution Vulnerability in Mediaserver

CVE-2015-3864

Critical

No

Elevation of Privilege Vulnerability in Kernel

CVE-2015-3636

Critical

Yes

Elevation of Privilege Vulnerability in Binder

CVE-2015-3845, CVE-2015-1528

High

No

Elevation of Privilege Vulnerability in Keystore

CVE-2015-3863

High

No

Elevation of Privilege Vulnerability in Region

CVE-2015-3849

High

No

Elevation of Privilege vulnerability in SMS enables notification bypass.

CVE-2015-3858

High

No

Elevation of Privilege Vulnerability in Lockscreen

CVE-2015-3860

Moderate

No

Denial of Service Vulnerability in Mediaserver

CVE-2015-3861

Low

No

What to do

If you have Android 5.x you can mitigate this by turning on things like Pattern or fingerprint recognition. You can also disable the camera app from working on the lock screen.

Remember that this vulnerability requires someone to have the phone – usually meaning it is stolen.

CHIEF DATA & ANALYTICS OFFICER BRISBANE 2020

26-27 February 2020 | Hilton Brisbane

Connecting the region’s leading data analytics professionals to drive and inspire your future strategy

Leading the data analytics division has never been easy, but now the challenge is on to remain ahead of the competition and reap the massive rewards as a strategic executive.

Do you want to leverage data governance as an enabler?Are you working at driving AI/ML implementation?

Want to stay abreast of data privacy and AI ethics requirements? Are you working hard to push predictive analytics to the limits?

With so much to keep on top of in such a rapidly changing technology space, collaboration is key to success. You don't need to struggle alone, network and share your struggles as well as your tips for success at CDAO Brisbane.

Discover how your peers have tackled the very same issues you face daily. Network with over 140 of your peers and hear from the leading professionals in your industry. Leverage this community of data and analytics enthusiasts to advance your strategy to the next level.

Download the Agenda to find out more

DOWNLOAD NOW!

Ray Shaw

joomla stats

Ray Shaw ray@im.com.au  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!

VENDOR NEWS & EVENTS

REVIEWS

Recent Comments