How serious is the flaw found in Samsung Android devices that allows attackers to bypass the lock screen? Can this vulnerability be targeted in a wide range of Android devices?
Ask the Expert!
SearchSecurity.com expert Nick Lewis is standing by to answer your questions about enterprise security threats. Submit your question via email. (All questions are anonymous.)
Mobile device security is dependent on more than just a PIN to unlock the screen. The screen lock is important, but only one of many recommendations to secure a mobile device. The screen lock doesn't necessarily help if removable media has unencrypted sensitive data stored on it or if the user chooses a weak PIN.
Mobile security researcher Terence Eden recently found two vulnerabilities that allow an attacker with physical access to bypass the Samsung Galaxy Note 2 lock screen. Both vulnerabilities rely on using the emergency phone dialer, but the first one provides only a brief window to access the home screen before the lock is reactivated. The second one uses the emergency call functionality to call the voice interface for Google Play and then installs an application to disable the screen lock. Eden has tested the vulnerabilities only on the Galaxy Note II running 4.1.2, but they could potentially work on other Samsung devices as well.
Screen lock functionality is under close scrutiny, as Apple has also had two vulnerabilities disclosed recently, in addition to a vulnerability discovered in 2010. With more smartphones and mobile devices enabling strong encryption to prevent access to the data stored on a device, attackers are targeting methods to bypass the lock security whether it is via accessing the camera, voice interaction or other functionality to get access to the device. Once the elusive screen lock is bypassed, the attacker gains access to the authorized user account and is able to access the encrypted data.
The overall impact of a screen lock bypass is an almost complete compromise of the security of the device. The attacker would be able to access anything on the device, including sensitive applications and data, that didn't require a password. The attacker would also be able to change the configuration settings on the device for anything that doesn't require the password. Many sensitive features like changing the PIN or disabling the screen lock setting do require a password or PIN, but even changing less sensitive settings -- such as if encryption is used for accessing something over the network -- could still allow for additional attacks on the device or accounts. A mobile device manager that independently managed settings or access could add an additional layer of protection for the settings on the device and potentially notify enterprises of a compromised device. Simply put, a screen bypass would undermine the overall security of the device.
This was first published in July 2013