Forgot your password?
typodupeerror
Security Android Bug Cellphones Handhelds IT

Security Flaw Bypasses AT&T Samsung Galaxy S II Screen Lock 49

Posted by Soulskill
from the your-kid-knows-the-password-anyway dept.
zacharye writes "BGR has uncovered a security flaw on AT&T's version of the Samsung Galaxy S II that renders Android's unlock pattern feature completely useless. Using a simple workaround, the security hole allows anyone to bypass the unlock pattern, which normally denies users access to an Android device unless a preset pattern is drawn on a grid of nine dots spread across the device's lock screen."
This discussion has been archived. No new comments can be posted.

Security Flaw Bypasses AT&T Samsung Galaxy S II Screen Lock

Comments Filter:
  • Common issue (Score:3, Interesting)

    by Georules (655379) on Friday September 30, 2011 @04:26PM (#37571656)
    This is a common issue with lockscreen replacements. "WidgetLocker Lockscreen" on the android market calls it the "5 second rule". You have to wait about 5 seconds after turning your screen off to turn it back on again if you want the replacement lockscreen to show instead of the default one. I'm not sure why it's not a standard application request to replace the lockscreen, except that it could potentially be a security problem if any application could just decide to override another lockscreen.
    • But the lock screen they are using looks standard. And even if it's modified, it's the one that shipped with the device so it would still not have the problems 3rd party lockscreens have.

    • by icebike (68054)

      This is a common issue with lockscreen replacements. "WidgetLocker Lockscreen" on the android market calls it the "5 second rule". You have to wait about 5 seconds after turning your screen off to turn it back on again if you want the replacement lockscreen to show instead of the default one.

      No, you've misread the article.

      If you fire up the phone and DON'T unlock it, but rather let it fall asleep again, when you then immediately wake it again it will be unlocked. At no time did you unlock it. So no 5 second rule should apply.

      • by pmontra (738736)
        Tested on a European SGS2 bought in May: it stays locked. Definitely a regression of the AT&T model.
      • by Asmor (775910)

        Also, the 5-second rule applies to the *home button*. Background apps can not start within 5 seconds of pressing the home button (although this doesn't take effect if you're pressing the home button to wake the phone up. It does seem that Widget Locker ignores the home button if it's already running.

        Here's what happens with my phone, which is running Widget Locker and the stock pattern unlock screen.

        Normal behavior:
        Wake phone -> Widget Locker -> Swipe to unlock -> Pattern unlock screen -> Input

    • by stephanruby (542433) on Friday September 30, 2011 @06:35PM (#37573042)

      I'm surprised the Slashdot editors didn't write something like:

      "HTC Now Selling Unlocked Phones"

      "Now AT&T Upping the Ante by Selling Unlockable Phones!"

  • by Anonymous Coward

    This is why OEMs need to stop screwing with Android and just use the stock OS from Google.

  • by Anonymous Coward

    I have an S2, and while the method described in TFA doesn't work on my S2 (maybe I'm just stupid, or maybe coz' mine isn't tied to AT&T, it's an unlocked one imported from elsewhere), I did notice if I look at the dark screen from an angle, my designated unlock pattern shows up clearly in the form of finger stain...

  • And when one is writing software it is hard to keep everything in order. Apple has made some bonehead mistakes. MS has made really silly mistakes. On thing that should be good for Android is that many eyes can be looking at the code, except when some firm believes security is easy and makes a bonehead mistake. It seems like this will happen more in phones like Android unlike Ms and Apple as firms have an incentive to make risky changes to interface to differentiate the phone, not to mention the need t
    • by PPH (736903)
      To be honest, open source people make bonehead mistakes as well. Where O/S excels is in getting things patched. If Microsoft won't patch their stuff, you're screwed. If the O/S project won't step up in a timely fashion, someone will fork their code, fix the problem and gain a reputation as a responsive team.
      • by Microlith (54737)

        This is not open source, however. Stuff like this is developed entirely behind closed doors by Google, then by Samsung, then by Samsung in cooperation with AT&T, and the source for this is likely unavailable.

  • Flaw summary (Score:5, Informative)

    by whysanity (231556) on Friday September 30, 2011 @04:33PM (#37571750) Homepage Journal

    FTA: "If you have a PIN or an unlock pattern set, all you have to do in order to bypass it is simply tap the lock button to wake the display and then let the screen time out and go black. Tap the lock button again and low and behold, the unlock screen is gone and the phone can be accessed with no PIN or pattern input whatsoever."

  • by Anonymous Coward

    I have the same phone, I noticed that by using the pattern lock, the finger can leave leave a fingerprint mark on the screen, from the skin oils, which one can easily follow as a blueprint to unlock the phone when the phone is turned to reflect light correctly.

    I have had many friends try and use this technique to break into my phone, all of which succeeded even if the screen already had fingerprints on it.

    I found that the issue is almost eliminated if the screen has a protector on it, since it is much harde

    • by jrumney (197329)
      Use the matt (anti-glare) protector. The rough surface on this eliminates finger marks almost completely. It also prevents the screen from turning into a mirror when there is any more than a moderate level of background light.
  • Does anybody know if this affects the Bell Mobility devices in Canada? I know someone who owns one... wondering if I should bug them about it. Thanks.
  • sort of: http://www.youtube.com/watch?v=ovfYBa1EHm4#t=90 [youtube.com] Not that I adequately understand how either of these things occur, but I don't trust any system that I cannot disassemble, upgrade, and repair or modify myself. What I understand even less, is why people even use smart phones. Yeah, they can do all but warm your lunch (maybe soon) and disperse crowds, but between a laptop/desktop, and bare-bones phone, I just don't get it. ....Why do I feel like I just harmed a nun?
  • I've a GT-I9100 with the latest firmware and I can't reproduce it. Kinda odd. I wonder if its a AT&T version issue only, or if they have 3rd party software.

    That being said, I'd never trust that stuff - specially the pattern - as a real security protection. It's easy to guess patterns, its easy to follow the finger's smudge (and you can guess even without that as patterns are not all that complex usually).

    Bottom line its a protection against the jealous girlfriend, the little childrens, that sort of stuf

  • Looks like the explanation from AT&T and/or Samsung is that, this works only within the time out period of the last unlock. That is you unlock a phone with PIN at time T. Its time out would be at T+timeout. Within this period if you force sleep by pressing the power button and press it again it will show the PIN screen. If this PIN screen times out before T+timeout, and the power button is pressed within T+timeout, then the pin screen is not shown.

    As programmer I am guessing it would just toggle back

(1) Never draw what you can copy. (2) Never copy what you can trace. (3) Never trace what you can cut out and paste down.

Working...