CVE-2015-3860 Vulnerability: Elevation of Privilege Vulnerability in Lockscreen
A Security researcher and hacker, named John Gordon, has found an easy way to bypass the security of locked smartphones running Android 5.0 and 5.1 (Build LMY48M).
A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device. By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein.
Many of us use various security locks on our devices like Pattern lock, PIN lock and Password lock in order to protect the privacy of our devices.
However, a vulnerability could now allow anyone to take your Android smartphone (5.0 build LMY48I) with locked screen, perform a “MAGIC TRICK” and as a result crash the user interface (UI) for the password screen and gain access to your device.
The vulnerability, assigned CVE-2015-3860, has been dubbed as “Elevation of Privilege Vulnerability in Lockscreen“.
The attack requires the following criteria:
- Attacker must have physical access to the device
- User must have a password set (pattern / pin configurations do not appear to be exploitable)
How the Attack Works?
The secret behind the researcher’s “MAGIC TRICK” is as follows:
- From the locked screen, open the EMERGENCY CALL window.
- Type a few characters, e.g. 10 asterisks. Double-tap the characters to highlight them and tap the copy button. Then tap once in the field and tap paste, doubling the characters in the field. Repeat this process of highlight all, copy, and paste until the field is so long that double-tapping no longer highlights the field. This usually occcurs after 11 or so repetitions.
- Go back to the lockscreen, then swipe left to open the camera. Swipe to pull the notification drawer down from the top of the screen, then tap the Settings (gear) icon in the top right. This will cause a password prompt to appear.
- Long-tap in the password field and paste the characters into it. Continue to long-tap the cursor and paste the characters as many times as possible, until you notice the UI crash and the soft-buttons at the bottom of the screen disappear, expanding the camera to fullscreen. Getting the paste button can be finicky as the string grows. As a tip, always make sure the cursor is at the very end of the string (you can double-tap to highlight all then tap towards the end to quickly move the cursor there) and long-tap as close to the center of the cursor as possible. It may take longer than usual for the paste button to appear as you long-tap.
- Wait for the camera app to crash and expose the home screen. The duration and result of this step can vary significantly but the camera should eventually crash and expose sensitive functionality. You should notice the camera lagging as it attempts to focus on new objects. Taking pictures via the hardware keys may speed up the process, though it is not strictly necessary. If the screen turns off due to inactivity, simply turn it back on and continue waiting. In some cases the camera app will crash directly to the full home screen as seen below, whereas other times it may crash to a partially rendered homescreen as seen in this alternate proof-of-concept video.
- Navigate to the Settings application by any means possible, e.g. by tapping the app drawer button in the bottom center and finding it in the app list. At this point it is possible to enable USB debugging normally (About phone > tap Build number 7 times, back, Developer options > USB debugging) and access the device via the adb tool to issue arbitrary commands or access the files on the device with the full permissions of the device owner.
All this is done to make the camera app crash. Further, you will notice the soft buttons (home and back button) at the bottom of the screen will disappear, which is an indication that will enable the app to crash.
At this time, stop your actions and wait for the camera app to become unresponsive.
After a moment, the app will crash and get you to the Home Screen of the device with all the encrypted and unencrypted data.
Now without wasting time go to Settings > Developer options > Enable USB debugging and control the device by installing the Android Debug Bridge (ADB) utility.
Video Demonstration shows Attack in Work
Watch the video demonstration given below, where you can see practically how Gordon executed the hack.
In addition to this, if we notice the number of users with Android 5.0 and 5.1 with hardware compatibility as Nexus 4 and software installed as Google factory image – occam 5.1.1 (LMY47V) are less. Therefore, the risk associated will affect those users only.
Furthermore, for those users we have a good news that is- the patch has released for the vulnerability and is made public by Google.