Android 5.x Lockscreen Bypass (CVE-2015-3860)

A vulnerability exists in Android 5.x <= 5.1.1 (before build LMY48M) that allows an attacker to crash the lockscreen and gain full access to a locked device, even if encryption is enabled on the device. By manipulating a sufficiently large string in the password field when the camera app is active an attacker is able to destabilize the lockscreen, causing it to crash to the home screen. At this point arbitrary applications can be run or adb developer access can be enabled to gain full access to the device and expose any data contained therein.

September 2015: Elevation of Privilege Vulnerability in Lockscreen (CVE-2015-3860)

The attack requires the following criteria:

  • Attacker must have physical access to the device
  • User must have a password set (pattern / pin configurations do not appear to be exploitable)

Proof-of-concept – Nexus 4 factory image 5.1.1 (build LMY48I):


Attack breakdown:

  1. From the locked screen, open the EMERGENCY CALL window.
    01-lockscreen
  2. Type a few characters, e.g. 10 asterisks. Double-tap the characters to highlight them and tap the copy button. Then tap once in the field and tap paste, doubling the characters in the field. Repeat this process of highlight all, copy, and paste until the field is so long that double-tapping no longer highlights the field. This usually occcurs after 11 or so repetitions.
    02-dialer03-dialer-asterisks04-dialer-copy05-dialer-paste06-dialer-nocopy
  3. Go back to the lockscreen, then swipe left to open the camera. Swipe to pull the notification drawer down from the top of the screen, then tap the Settings (gear) icon in the top right. This will cause a password prompt to appear.
    07-camera08-camera-settings09-camera-password
  4. Long-tap in the password field and paste the characters into it. Continue to long-tap the cursor and paste the characters as many times as possible, until you notice the UI crash and the soft-buttons at the bottom of the screen disappear, expanding the camera to fullscreen. Getting the paste button can be finicky as the string grows. As a tip, always make sure the cursor is at the very end of the string (you can double-tap to highlight all then tap towards the end to quickly move the cursor there) and long-tap as close to the center of the cursor as possible. It may take longer than usual for the paste button to appear as you long-tap.
    10-camera-paste11-camera-pasted12-camera-secondpaste13-crash-nosoftkeys
  5. Wait for the camera app to crash and expose the home screen. The duration and result of this step can vary significantly but the camera should eventually crash and expose sensitive functionality. You should notice the camera lagging as it attempts to focus on new objects. Taking pictures via the hardware keys may speed up the process, though it is not strictly necessary. If the screen turns off due to inactivity, simply turn it back on and continue waiting. In some cases the camera app will crash directly to the full home screen as seen below, whereas other times it may crash to a partially rendered homescreen as seen in this alternate proof-of-concept video.
    13-crash-nosoftkeys14-crash-background15-crash-desktop
  6. Navigate to the Settings application by any means possible, e.g. by tapping the app drawer button in the bottom center and finding it in the app list. At this point it is possible to enable USB debugging normally (About phone > tap Build number 7 times, back, Developer options > USB debugging) and access the device via the adb tool to issue arbitrary commands or access the files on the device with the full permissions of the device owner.
    16-settings17-settings-about18-settings-developer

Timeline:

2015-06-25: Vulnerability reported privately to Android security team.
2015-07-01: Android confirms vulnerability can be reproduced, assigns LOW severity issue.
2015-07-15: Android promotes issue to MODERATE severity.
2015-08-13: Android commits a patch to fix vulnerability.
2015-09-09: Android releases 5.1.1 build LMY48M containing fix.
2015-09-14: Android marks issue public.
2015-09-15: UT ISO publishes this writeup.

jgor

Posted in Vulnerability
31 comments on “Android 5.x Lockscreen Bypass (CVE-2015-3860)
  1. noob says:

    not for zenfone 2 .i.

    • Michail says:

      It’s work on my asus zenfone 2 551ML with Asus Launcher
      1. Just get enough digits using ASUS Calculator. It’s works on locked screen(swipe down).
      2. Then launch camera.
      3. Past characters in password field after tapping on profile settings(swipe down when camera is on).
      4. Press enter.
      5. Take Crash.
      6. ???
      7. PROFIT!!!

  2. Good job guys keep it up…

  3. sehro says:

    On Moto X with 5.1 (LPA23.12-15) cannot reproduce with moto camera, does not allow notification pulldown. So, stock camera app (or another notification allowing camera) must be present and set as default.

  4. Cybeh says:

    Cant reproduce the hack on Samsung Galaxy S4, doesn’t allow the text to be copied from the emergency dialer text box. And you cant access settings or drop down menu once the camera app is open.

    Cybeh

  5. Ceena says:

    THIS IS AAHRMAAAAAZINGGG

  6. Dori says:

    > gain full access to a locked device, even if encryption is enabled on the device.

    Isn’t device encryption (like Keystore keys when encryption is required) backed by a lockscreen input derived key. Crashing the lockscreen should cause an issue with data / key access.

  7. Silicium says:

    oh jesus, please…

    This is so cheap, how can that be?

  8. Jeremy says:

    This didn’t work for me. Confirmed 5.1.1 lmy47. I’m unable to double click or long click to highlight the asterisks in order to copy them.

  9. It’s a masterpiece of bypass a lock screen for Android 5.x. Android OS makers shall read your blog before releasing the new OS version.

  10. daniel says:

    You can’t get into a encrypted device by using that. While encrypted you cannot copy nor paste. So my question to you, why would u set a 8 pin on a none encryption device?

  11. Sam says:

    I tried this on a Galaxy S5 5.0, the emegency dialer does not have the copy/paste function. This must be a 5.1.1 related bug on nexus devices only.

  12. Yo says:

    Cannot invoke on my Samsung Galaxy S5 Active running Lolipop.

  13. fg says:

    I have an older Samsung Galaxy that is encrypted…the copy/paste function is also not available.

    There is obviously a problem that requires patching (not unusual for any operating system) but certainly not enough to cry wolf like CNN is doing.

    http://money.cnn.com/2015/09/16/technology/android-hack/index.html?iid=ob_homepage_tech_pool&iid=obnetwork

    Seems that CNN is trying to plug Apple (again). This is a fairly low risk vulnerability that seems to only affect Nexus phones, and someone has to be in possession of the phone in the first place.

  14. khen says:

    will trying many times not lead to blockage if the user uses google as his/her security??

  15. RAJAN says:

    nOPE DONT WORK ON MY S6 EDGE RUNNING android l…

    total BS

  16. blazer says:

    Hey there! Can reproduce this at LMY48I on 5.1.1 on HTC one X.

  17. Tiago Peralta says:

    On my OnePlus with stock cm12.1S I don’t even need to go to the camera or anything, I just need to copy/paste onto the dialer screen, and then press home, and bam, unlocked.

  18. Debasis Das says:

    I m having a nexus 5 and i have forgot the PIN and there is no option to paste the string(stars) in the PIN entering screen while on the camera app in the lock screen.
    can anyone help ???
    is there any other option for bypassing the lock screen ?????

  19. JDB says:

    Doesn’t work on a Samsung Galaxy S6+ – Copy/paste not available on the Emergency call screen. Can “Select All” – that’s it.

  20. Isn’t working with Sony Xperia C and Samsung E700H as I can’t copy the code. Help

  21. Nice Job, More and more attacks on android.

  22. mahua says:

    But mine is pattern lock. Nothing is happening pls help. I have tried the first and second step.

  23. weblink says:

    Very good post. I certainly love this website.
    Stick with it!

  24. Leakite says:

    This is some cool stuff. But, it does not apply to all devices. Because, not all lollipop devices support copy-paste on lockscreen.

  25. Daivd says:

    Can’t stand bugs

  26. Arun Negi says:

    WoW, will try it. And will prank my friends 😛 HaHa

  27. kin! says:

    HELLLLLLPPPPPPCan anyone tell me how to do this without loosing get anything. I do not have the copy paste function in emergency call

  28. Eli says:

    I tried this on my Nexus 5, but I have the swipe pattern lock, not the PIN lock. Is there ANY way to do this with the swipe pattern lock??? HELP!!

Leave a Reply

Your email address will not be published. Required fields are marked *

*