Slashdot Mirror

← Back to Stories (view on slashdot.org)

Android Lollipop Can Be Hacked With Very Long Password

Posted by timothy on from the ipso-facto-presto dept.

Complex passwords are the way to beat some attacks, but for phones running the latest version of Android, that's not necessarily so: puddingebola writes with an excerpt from an article at CNN: Locked phones require a passcode. But there's a way to get around that. Just type in an insanely long password. That overloads the computer, which redirects you to the phone's home screen. It's a time-consuming hack, but it's actually easy to pull off. In a report published Tuesday, computer security researcher John Gordon documented the vulnerability and posted a video of the hack. It only affects smartphones using the latest version of the Android operating system, Lollipop.

6 of 170 comments (clear)

  1. What is old is new by goombah99 · · Score: 4, Informative

    early versions of mac OSX had a similar problem. 10,000 character password entries would unlock the system. Entering these was aided because the password field accepted emacs key commands (like every other field on a mac) so repeated ctrl-a ctrl-k ctrl-y ctrl-y ctrl-y quickly got you to the passwrd field overload point.

    --
    Some drink at the fountain of knowledge. Others just gargle.
    1. Re:What is old is new by slo · · Score: 4, Informative

      Googling, I found this. It sounds like the screen lock vulnerability described.

    2. Re:What is old is new by macs4all · · Score: 3, Informative

      Not the original poster, and it was a bit hard to find, but there's this: https://www.securemac.com/maco...

      I remember a slashdot discussion about it years ago as well.

      Ok, well now I remember it; but according to this article (and the comments following it), this is MUCH different than the Lollipop vulnerability:

      1. It is only the SCREENSAVER-lock that is affected. The regular OS X Login Screen CANNOT be bypassed in this manner! BIG difference!

      2. You must know the USERNAME of an ADMINISTRATOR Account; regular (non-Admin) Users CANNOT use this vulnerability to gain unlock the screensaver. Again, BIG Difference!

      3. This has been fixed for aeons.

  2. pin code not vulnerable by sociocapitalist · · Score: 4, Informative

    Only works against passwords and only in certain cases.

    Does not work against pin codes or swipes.

    --
    blindly antisocialist = antisocial
  3. And it has been fixed by necro81 · · Score: 3, Informative

    The vulnerability was disclosed to Google, who has developed a patch, which Google released last week. So, it makes for a funny story, and a teachable moment, but does not necessarily mean OMG-We'z-Been-Hax0red!

  4. Re: Hardware Access by RavenLrD20k · · Score: 3, Informative

    Samsung Galaxy S5 owner here. Although I use the fingerprint scanner for a lockscreen, it has the ability to use a backup password instead. The password field does not allow pasting and typing into the field only allows 16 characters maximum; everything above that does not get entered in the field. I've also just switched to password entry as the primary locking mechanism to the same result. Cannot paste and field only accepts 16 characters.