A hack or a vulnerability exists in Android Lollipop 5.x (uptil 5.1.1, build LMY48L) that enables an attacker to crash and bypass the lockscreen and achieve full access to a locked machine, even when encryption is enabled on the device. It was discovered on the 25th of June, 2015 and reported (privately) to Google. Now an update to patch this vulnerability has been released, and Google has made the exploit public (CVE-2015-3860). The method detailed here has been originally taught by jgor and first published here.
By manipulating a sufficiently large string within the password field when the camera app is active an attacker is able to destabilize the lock screen, causing it to crash and go to the home screen. At this point arbitrary applications may be run or adb developer access can be enabled to gain full access to the gadget and use any of its stored data.
The exploit requires the following:
The hacker/user should have physical access to the device (duh!)
Person who own’s a phone must have a password enabled (pin / pattern configurations are not effected by this exploit)
Video proof – [Nexus 4, Android 5.1.1 (build LMY48I)]:
- From the locked screen, open the EMERGENCY CALL window.
- Type a few characters in the dialer, e.g. 11 asterisks. Then Double-tap the characters to highlight and then tap the copy button. Then taponcein thefield and tap paste, doubling the characters in thefield (i.e. now you have 22 asterisks) Repeat this process ofhighlight all, copy, and paste untilthe field is so lengthy that double-tapping no longer highlights the field. This usually occcurs after 10 or so repetitions.
- Return to the lockscreen, then swipe left to open the digital camera. Open the notifications from by swiping down down from the top of the screen, then select the Settings (gear) icon (top right). Now you’ll see the prompt asking you for the passwords.
- Long-tap in the password field and select paste. Keep doing this as many times as its possible, until you notice the UI crash and the soft-buttons at the bottom of the screen disappear, expanding the camera to full screen. It may take longer than usual for the paste button to appear as you long-tap.
Tada! You are in. You can navigate to the Settings and enable USB debugging (so that you can use adb to root the device or do anything else you want 😉
Do mention in the comments if it worked for you, the type of device and android version you have.