Slashdot Mirror
Android Lollipop Can Be Hacked With Very Long Password
Complex passwords are the way to beat some attacks, but for phones running the latest version of Android, that's not necessarily so: puddingebola writes with an excerpt from an article at CNN: Locked phones require a passcode. But there's a way to get around that. Just type in an insanely long password. That overloads the computer, which redirects you to the phone's home screen. It's a time-consuming hack, but it's actually easy to pull off. In a report published Tuesday, computer security researcher John Gordon documented the vulnerability and posted a video of the hack. It only affects smartphones using the latest version of the Android operating system, Lollipop.
That's impossible. It's Java! Java can't have security holes! Everyone knows you don't write C because C has buffer overflows and can cause security problems when you paste in very long strings, and that NEVER happens with Java! Java is perfect! Everything you write in Java is perfectly secure! Ask any Java programmer!
Support my political activism on Patreon.
Yeah, if you have hardware access to a device you own it. Nothing new to see.
...
is nothing but a matter of time and effort. Nothing is secure. Anyone who touts how secure their software product is is in for a fall.
Software security will be a game of whack-a-mole forever.
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
It wants its "latest" version of Android back.
early versions of mac OSX had a similar problem. 10,000 character password entries would unlock the system. Entering these was aided because the password field accepted emacs key commands (like every other field on a mac) so repeated ctrl-a ctrl-k ctrl-y ctrl-y ctrl-y quickly got you to the passwrd field overload point.
Some drink at the fountain of knowledge. Others just gargle.
Comment removed based on user account deletion
I figured it was mostly for the corporate identity change and logo changes Google is has been doing recently. I could see this fix being in there.
On another note I mourn the loss of the GPE edition. It was a good idea and should stay.
The preceding post was not a Slashvertisement.
Only works against passwords and only in certain cases.
Does not work against pin codes or swipes.
blindly antisocialist = antisocial
Watch this, watch them patch out long password support, and more will follow them.
"Passwords as long as you want? Na mate, can't be having that nonsense going on here, unpredictable = hackable, ban it!"
I hate password size limits. Immensely.
Any service that has a password size limit is automatically not going to be reliable in any sense of the word because their back-end security is likely piss-poor to begin with if they think short passwords are even remotely a good idea, never mind being unable to make a system that can support them. (which is trivial)
It honestly takes more effort to enforce short passwords than it is to use Good Security systems!
Nothing on my phone, other than photos, email addresses, bookmarks. No bank info, no home addresses. Phone is never left unattended, always on my belt clip. I've never lost a phone, had one stolen. Never used a password. Swipe to unlock. I don't leave my phone in the car, at the beach, bar, etc. I look at it as if I would my wallet. I've never lost it, had it stolen in over 40 years of carrying one since I got my drivers license in the 70's. If people were more RESPONSIBLE, it wouldn't be an issue.
A long password? Fuck. Just fuck.
I'm selling my Moto G on ebay and using the what I get from that to get a iPhone and the new big maxiPad and still have change left over to buy lots of apps and lots of music and lots and lots of movies.
The vulnerability was disclosed to Google, who has developed a patch, which Google released last week. So, it makes for a funny story, and a teachable moment, but does not necessarily mean OMG-We'z-Been-Hax0red!
I don't use a password. Why is my url mobile.slashdot.com when I'm on a desktop?
Thanks AT&T!
This Sig does not Exist.
Subject's propoganda for years on /. destroyed via ANDROID (a Linux)!
It's like gets(3), only different!
Confirmed :: this exploit exists in an iPhone 5 with firmware version 3.11.2b.
I set my iPhone's password to 56 i's (just to test), and entering that password unlocks the phone.
in soviet USA.
Or, maybe you could realize that older people have developed the wisdom and maturity that only comes with time, and, heaven forbid, you might actually learn something from them.
lollipop sucks dogs balls even more than i thought
Hey! That's unfair to dog-ball suckers everywhere, you insensitive clod!
Maybe you could put your phone down, and make my fucking burger.
Then get a Nexus or root.
Silence is a state of mime.
This "issue" only effects the version of Android from older Google factory images, as in, what would be on a Nexus phone and that's it.
If you have some non-Nexus Android phone, this does not effect you.
If you have a Nexus phone running basically any custom firmware (which most Nexus users are) this does not effect you. (because copy and paste on the lock screen is disabled)
If you have a Nexus phone running current stock firmware this does not effect you because it has been patched out.
If you have a Nexus phone and have refused recent firmware updates, and are using password as your lockscreen type (not PIN / smart / pattern / any custom lockscreen) then this DOES effect you, but everyone else, it does not.
-AC
Got root - bought AT&T version - it's a GPE now.
The preceding post was not a Slashvertisement.
As you said this is java based program so you know very well about java. Java is the biggest vulnerability for US Technology. Android is an operating system based on the Linux kernel. It is the most widely used and popular operating system among Smartphones and portable devices. Its programmable and open nature attracts attackers to take undue advantage. Android platform allows developers to freely access and modify source code. But at the same time it increases the security issue. A user is likely to download and install malicious applications written by software hackers. This paper focuses on understanding and analyzing the vulnerabilities present in android platform. In this paper firstly we study the android architecture; analyze the existing threats and security weaknesses. Then we identify various exploit mitigation techniques to mitigate known vulnerabilities. A detailed analysis will help us to identify the existing loopholes and it will give strategic direction to make android operating system more secure. ANDROID SECURITY USING EXPLOIT MITIGATION TECHNIQUES : The main target for implementing Android security is to protect the user data, system resources, and providing application isolation. For this, Android has timely updated its security controls with each patch and every version it has released. The earlier versions of Android had very little or no security features to protect against advanced attacks because the development was still on and also very few people had android devices. CONCLUSION : After studying in detail the various Android vulnerabilities, it’s clear how dangerous its impact can be. To tackle the number of increasing vulnerabilities, Android must timely introduce new security enforcement and exploit mitigation techniques. The kernel of Linux OS itself is so vulnerable that every week new exploit is discovered. The vulnerability fixes released for these should be patched in Android's Linux Kernel as well to avoid replicating the same vulnerabilities again. To stay away from malware's, users need to be aware about the importance of looking over the permissions granted to an app during installation time and to download apps from the official Google play store. In the coming years, we see Android to be a very secure OS, which the users can trust enough to do even their banking transactions from smart phones. If you want to secure your smartphone forever. Look forward to contact : http://www.locksmithsinscottsd...
"Maybe terms like "PASSING LANE" and "ACCELERATION LANE" aren't really so confusing after all..."
The current drivers call the passing lanes (yes, lane*s*, as the outside lane is the only non-passing lane on a multi-lane highway) "fast lanes" and set their cruise control at [limit-4] to allow for speedometer inaccuracies. The older people may not follow the rules well, but they at least bothered to learn the rules at least once. The kids today call the "passing" lane the "fast" lane and declare them fast, and everyone else too slow or too fast.
If you can't point to a car that you are passing, you shouldn't be in a passing lane. If you are, you should lose your license. And no, getting out of the outside lane because there's an entrance only 3 miles ahead, and you don't want to have to worry about changing lanes if someone's getting on doesn't count as passing someone.
Learn to love Alaska
On my HTC One (M7), the emergency dialer is not the stock Android dialer, and when you try to highlight the text to copy it, it tells you that it's not an emergency number and therefore the call wasn't sent. Same with the unlock screen: you can't paste text into it. I imagine the only phones that could be susceptible to this are the ones who are very close to stock Android, and since they are close to stock Android, they won't be vulnerable due to the new way Android updates are handled (every part of the system sans kernel is an app that can be updated).
Yeah dude. Right? Wendy's guy on Facebook while I'm watching my fries get cold. Wtf!