Bug bypasses lock screen on Samsung Galaxy S3, Note 2
The lock screen of your smartphone that supposedly keeps confidential info from prying eyes turns out to be not so reliable after all. A bug has been discovered that lets users take a sneak peek of the home screen of the Samsung Galaxy Note 2. Worse, a similar bug completely allows bypassing and gain control of the Samsung Galaxy S3.
Mobile enthusiast Terence Eden first discovered the Note 2 bug and posted a complete exposé of the issue on his personal blog, after learning that South Korean smartphone giant Samsung does not have a dedicated disclosure team. Several types of lock screens, specifically Pattern Lock, PIN, Face Unlock, and even the most secure Password, are affected. Eden even went on to say that “there is no way to secure your phone.” To confirm his theory, you can follow the steps below and invoke the bug on your own device.
- Lock the device using the affected security types mentioned above.
- Turn the screen on.
- Tap Emergency call.
- Tap the ICE – emergency contacts button on the bottom left.
- Press the Home button.
- Quickly tap on an app/widget displayed on the home screen. For example, a direct dial widget allows calling a person without unlocking the phone.
I successfully replicated the bug myself using my Note 2 (model number GT-N7100) running on the latest Android 4.1.2. Pressing the Home button while the emergency contacts are displayed gives me a short glimpse of my phone’s home screen. Depending on what widgets or apps are present on the active home screen, the bug can be relatively harmless or – as Eden puts it – an attack that is of limited value and scope. Nonetheless, even using a different launcher or a 3rd party lock screen does not help protecting the device against the emergency dialer bug.
Only a few days after Eden revealed this security flaw, another smartphone owner disclosed a similar bug affecting Galaxy S3 devices. Sean McMillan posted on the Full Disclosure mailing list a summary and steps on bypassing the lock screen, described below:
- Tap Emergency call on the lock screen.
- Tap the ICE – emergency contacts button.
- Press the Home button once.
- Immediately press the power button after performing step 3.
- If the bug has occurred, pressing the power button the second time directs you to the home screen.
McMillan notes that recreating the bug is not sure to succeed every time. It may take a few tries for the method above to work, sometimes taking even more than 20 attempts. But once successful, the lock screen is disabled until the device is rebooted. He further notes that turning automatic screen rotation on seems to increase the likelihood. He also used three Galaxy S3 devices with the model number GT-I9300 and kernel version 3.031-742798, running on Android 4.1.2.
Unlike the Note 2 bug, this flaw in the S3 lock screen is a major issue, disturbingly one that Samsung has not yet bothered to address, at least publicly. Perhaps they are still busy fixing the previous copy-paste clipboard bug.
Fortunately, not every Android-powered device is affected by the flaw, only ones running on Samsung’s customized software. Is your Galaxy device affected? Leave a comment below.