News  Android
Lockscreen hack

Video shows how to hack affected handsets

When users hear about hacks to smartphones they usually conjure up images of darkened rooms, hunched figures over keyboards and masses upon masses of software tools, debuggers and general highbrow geekiness. A new hack has emerged which blows that away - it lets users (eventually) unlock a locked handset using nothing but their thumb. Ok, it's as tedious as it is ingenious, and it must be stressed upfront this doesn't hit all Android handsets - a fix has already been issued - but the video shows a hack that has to be admired for the convoluted way it achieves its objective.

Use only what is available

The hack needs a password to be set in order to work - patterns and PINs are not affected. Since a password must be entered, the keyboard and the emergency dialler can be used from locked handsets. Nothing in itself wrong with that, but watch how it goes when you push things too far. A warning - this is the full live hack, so towards the end it gets a bit tedious to watch. Just look for the helpful onscreen cues to skip forwards:

Once an attacker is in the phone, its basically game over for security on that device. This means all messages, contacts, photos and videos etc can now be accessed. 

Google issues fix - for Nexus devices only

The affected version of Android are Lollipop 5.x before build LMY48M, that includes earlier releases of 5.1.1. Google have issued an OTA fix for the Nexus devices, confusingly also called 5.1.1, but with that new build number. This lockscreen bypass exploit is known as CVE-2015-3860.

Usually when advising of how to fix problems like this, users are told to uninstall certain software, or change the settings in a way they might find inconvenient. Fortunately for this one it's a lot easier - just change to using a pattern or a PIN for the lockscreen. Then wait for your operator to issue a fix...

Read more: University of Texas