Samsung Lock Screen Security Flaw

@edentandroid bug samsung security · 31 comments · 650 words · Viewed ~34,337 times.

Here's a rather nifty security flaw I discovered on Samsung's Android 4.1.2. It allows you - in limited circumstances - to run apps and dial numbers even when the device is locked.

Video:

This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.

Notes

HOWTO

Lock the device with a "secure" pattern, PIN, or password.
Activate the screen.
Press "Emergency Call".
Press the "ICE" button on the bottom left.
Hold down the physical home key for a few seconds and then release.
The phone's home screen will be displayed - briefly.
While the home screen is displayed, click on an app or a widget.
The app or widget will launch.
If the widget is "direct dial" the phone will start ringing.

Limited Scope

It's true, this attack is of limited value. That's one of the reasons why I've disclosed it.

Making a call relies on the phone having a direct dial widget on the home screen.

Running the apps is also of limited use - they go into the background immediately. If the app performs an action on launch (like recording from the microphone, switching on the flash, playing music, interacting with a server) that action will occur.

There is also the privacy concern that an attacker could see what apps you have installed on your homescreen - or see your calendar / emails if you use a widget which displays them.

Rapidly tapping the home button will - depending on your launcher - allow you to see what is on every home screen. Using an external video camera you should be able to clearly see all the user's calender & email widgets if they have enabled them.

Target

I've only tried this on one class of handset. Galaxy Note II N7100. Running 4.1.2 - the latest UK variant. The two devices both ran the stock launcher and lock screen. One device was rooted - the other was factory fresh.

I have not tested on any other devices.

Defending Yourself

This attack works against Pattern Lock, PIN, Password, and Face Unlock. There is no way to secure your phone against your home screen being accessed.

Your options are:

Do not use direct dial widgets on your homescreen.
Remove any calendar or email widgets which may show sensitive information from your homescreens.
Ensure that any apps which you do have on your homescreens do not automatically cost you money or act maliciously when launched.
Use an app locker to prompt for a password when apps are launched.
Changing to a different launcher will not protect you.
Using a 3rd party lock screen will not protect you if it accesses the emergency dialer.

Responsible Disclosure

Samsung don't have a dedicated responsible disclosure team. Nor do they offer a bug bounty. The nearest I've found is this unlisted email address.

I spoke to several external security people, and Samsung relationship managers within the industry, who have raised the issue directly with Samsung. I also tried emailing Samsung directly. I know that people within Samsung have been made aware of this bug.

Despite that, five days later, and Samsung's security team have not made any contact with me to discuss this bug or its disclosure.
I wonder if this is typical of Samsung's attitude towards their customers and the industry in general? Do they believe that if they ignore problems, they will disappear?

Conclusion

Samsung have a really poor record on Android security. Avoid purchasing their phones at all costs.

31 thoughts on “Samsung Lock Screen Security Flaw”

2013-03-04 13:03

NickC says:

Thanks for this. By the way you might want to update your video to fuzz out or hide the phone number of the person you call as you're about to get a lot of traffic from Engadget!
Reply
1. 2013-03-04 13:09
  
  Terence Eden says:
  
  It's a landline number with no phone attached. You can ring it as much as you like 🙂
  Reply
2013-03-04 13:16

dennis groves says:

This doesn't happen to work on Android 2.6.37.6-cyanogenmod. 🙂 One of the many reasons to install your own OS on the phone....
Reply
1. 2013-03-07 22:25
  
  Dina Dadian says:
  
  "One of the many reasons to install your own OS on the phone" - not a very practical advice for an Average Joe type of user.
  Reply
2013-03-04 15:56

Thomas says:

Just FYI the same issue was found and disclosed back in February by MTI, with some additional ways to exploit it. They used an S3 in their test, but was the same flaw in Samsung's version of Android. Might be useful to reference it for additional info for visitors. Thanks.
Reply
1. 2013-03-04 16:17
  
  Terence Eden says:
  
  Hi Thomas, Thanks for that, I hadn't found anything similar. For those who are interested, the report is a vulnerability with S-Voice. It appears you can get the voice commands (Samsung's Siri) to call numbers etc even when the screen is locked. I couldn't get it to work with my Galaxy Note II - so I don't know whether Samsung have fixed it. Thanks for the comment. Terence
  Reply
2013-03-04 22:52

bigicebear says:

fuzz out that poor girl's number - it's on display for the world to see...
Reply
1. 2013-03-04 22:57
  
  Terence Eden says:
  
  Hi, It's my home phone number - the "poor girl" is my wife. You can ring as often as you like, there's no phone plugged in to the land line. Terence
  Reply
2013-03-04 22:55

Scott says:

I tried it several times and cannot even see the home screen like you show in the video. Galaxy Note 2, Verizon provider, PIN lock screen.
Reply
1. 2013-03-04 22:58
  
  Terence Eden says:
  
  Interesting. Mind if I am which firmware you're on & if your device is encrypted?
  Reply
2013-03-04 23:03

Dan King (@fuzztester) says:

on my Motorola bionic i am seeing similar behavior. I haven't had much luck getting something to execute yet but flashing my home screen is indicative of a android platform issue.
Reply
2013-03-04 23:06

Ather says:

tested it on my N7100 4.1.1 Stock...the flaw is there, i was able to play the music from the widget since i locked it on that homescreen
Reply
2013-03-05 01:35

Thang Chien says:

I found this on 11th, Jan 2013. I've report to SamSung VietNam and SamSung Korea but they do not focus on it 🙂 http://www.youtube.com/watch?v=4Q54l6cNj_I
Reply
2013-03-05 02:59

Ray Cliff says:

Not worried at all. Don't have any sort of lock on my phone at all. Nobody should have anything "risky" on their home screen anyway! You only increase the chances of somebody having a go at someone else's phone by publicising it!
Reply
2013-03-05 07:54

nietzsche says:

Interesting... My previous post was deleted. So one more time: If you setup a number in Emergency call / Emergency dialler / ICE - emergency contacts / Personal emergency contacts, you can call this number but the home screen is not anymore accessible, never shows again. What is the problem with this information?
Reply
1. 2013-03-05 09:05
  
  Terence Eden says:
  
  This is not true. If you set up an emergency contact, you can still hold down the home button and the home screen is displayed.
  Reply
  1. 2013-03-06 07:28
    
    nietzsche says:
    
    Hi, very interesting, in my case it is working. Maybe I am an exception, but no chance to reach the home screen, so I am happy, just wondering, why some Note 2 are acting differently. I am on Stock ROM and rooted. Regards.
    Reply
2013-03-05 21:56

safe121 says:

but a chinese already found this bug in January : http://v.youku.com/v_show/id_XNTAzMDc4Mjgw.html Video password is "wooyun"
Reply
1. 2013-03-05 21:59
  
  Terence Eden says:
  
  Very interesting. Thank you. Do you know if it was reported to Samsung?
  Reply
  1. 2013-03-05 22:16
    
    safe121 says:
    
    It's not reported to Samsung but it has been posted on a technology forum in china (Link:http://zone.wooyun.org/content/2350)
    Reply
2013-03-06 21:43

Erik van Straten says:

I own a simlock free Samsung Galaxy Note II, not rooted, 4.1.2. I am observing the same behaviour as Terence. My 14 char password now seems nearly pointless (I am a security guy). PS I didn't buy this phone because I thought it would be secure, but because my company's customers and collegues also buy Android and iOS phones, and I like to know what I'm talking about. I had a voicemail icon on my homescreen. By clicking it (phone locked) I was able to dial that without having to enter my password; this definitely poses a security/privacy/commercial risk. So I moved the icon to another screen (i.e. off my home screen). However, I just found out that I can also swipe to other screens while the phone is locked. So I was able to call voicmail anyway. I have now deleted the voicemail icon. I have an icon for the flashlight which I can succesfully switch on or off with a locked phone (this could be considered a feature). Also I am able to start "Gallery", but do not see any pictures (after unlocking one can observe that the app is running in task manager). So far I have not been able to start any other app while the phone is locked, but I wouldn't be surprised if more information can be accessed. Somewhat related: http://www.heise.de/security/meldung/Samsung-Smartphones-verraten-Passwoerter-1817565.html (translation: Samsung smartphones reveal passwords). Although in German, the picture speaks for itself ("ich will rein" translates to "i want in"). However, on my Note II the word predictions do not show up in the password entry screen, perhaps I have -unkowingly how- disabled this in some way.
Reply
1. 2015-06-08 14:27
  
  Sheogorath says:
  
  @ Erik: Maybe your keyboard is set up to show passwords. Go into the Language and input part of your settings and ban it from showing them, and you should also ban it from accessing your contacts list as well. It won't stop the keyboard from displaying email addies you write on it, but it will stop it from farming your Gmail account (or whichever) for more.
  Reply

Trackbacks and Pingbacks

2013-03-04 12:50

Galaxy Note II vulnerability lets attackers (briefly) access home screen apps (video) ← engadget:

[...] Source: Terrence Eden (blog) [...]
2013-03-04 13:23

Grave vulnerabilidad afecta Samsung Galaxy Note 2 | PYSN Noticias:

[...] Más información aquí. [...]
2013-03-04 14:20

Galaxy Note II Vulnerability Allows Home Screen To Be Viewed Even On Locked Device [VIDEO] | Redmond Pie:

[...] that a fix is on the way. The person who discovered it – an Android enthusiast by the name of Terence Eden – reported it five days ago, but Samsung has yet to issue any kind of response to the [...]
2013-03-04 15:12

Droidik | Zranitelnost Galaxy Note II umožňuje na okamžik získat přístup k domovské obrazovce:

[...] Terence Eden objevil zranitelnost Samsung Galaxy Note II, která umožňuje útočníkovi získat na krátký okamžik přístup k domovské obrazovce zařízení. Stačí jen z obrazovky pro zadávání hesla vstoupit do tísňových volání, poté zvolit tlačítko ICE a několikrát stisknout home tlačítko. Než se telefon vzpamatuje, získá útočník na několik sekund přístup k domovské obrazovce, odkud může spouštět aplikace, zahájit hovor (např. prostřednictvím zástupce přímé volby) či zobrazit informace. Společnost Samsung již byla serverem Engadget na tuto zranitelnost upozorněna před několika dny, zatím však bez reakce. [...]
2013-03-04 15:20

Ευπάθεια στο Samsung Galaxy Note II αφήνει την οθόνη έναρξης εκτεθειμένη ακόμη κι αν το κλειδώσετε | Digital Life:

[...] ο ερευνητής ασφαλείας Terence Eden και δημοσίευσε στο blog του, επιτρέπει την πρόσβαση σε εφαρμογές που είναι [...]
2013-03-06 17:19

Galaxy Note 2 und Galaxy S3: Notruf-Taste hebelt Lockscreen aus - CNET.de:

[...] hat das Sicherheitsleck ein Nutzer namens Terence Eden zuerst beim Galaxy Note 2. In seinem Blog hat er eine detaillierte Anleitung und ein [...]
2013-03-07 12:03

Samsung Galaxy S3 and Galaxy Note 2 Bug Allows You to Bypass the Lock Screen:

[...] has come across the bug that affects the Galaxy Note 2 and posted an article about the issue on his own blog, because he found out that the South Korean company lacks a dedicated disclosure team. There are [...]
2013-03-20 21:54

Samsung Galaxyシリーズにもロックスクリーンからパスワードなしで通話できるバグあり | TechCrunch Japan:

[...] Edenはこれより前に、やはり緊急通話ダイアラーに関連するバグを発見している。これはスクリーンのある場所を同時に押すことでホームスクリーンにアクセスが可能になるというものだ。2つのバグは密接に関連しているものとみられる。Samsungはこれらのバグを認識しており、修正作業に取り組んでいるという。 [...]
2013-04-29 21:32

Lock Screen Bypass Flaw Found in Samsung Androids | Threatpost:

[...] Eden, a UK-based mobility expert, wrote about and uploaded a video demonstrating the bug on his personal blog yesterday. As you can see in the video posted below, Eden locks his device’s screen before [...]