Motorola DROID unlock screen and Google account security flaw uncovered

January 11, 2010

    Uh oh, a security flaw that allows unauthorized access to a locked Motorola DROID has been discovered rather haphazardly by desperate folks who were locked out of their phone. After 20 incorrect tries at entering the proper unlock sequence, an Android handset will lock itself, requiring the user to enter their Google account information. Sounds nice and easy, except there is a bug in older Android phones – even when you enter the proper credentials, the phone remains locked. This desperate situation led people to try all sorts of procedures to access the phone and turn off or change the unlock sequence. Astonishingly, someone realized that you could hit the back button during a phone call and access not only the homescreen but everything else on the phone. As long as the call is connected, the user has almost unfettered access to your supposedly locked phone. Thankfully, once the call is ended, the phone reverts back to the unlock screen and you need to enter the unlock sequence or Google account information to access the phone again. Gaining access to a locked phone by a mere phone call is bad enough but another more devious action can change your phone’s Google account and its lock sequence without your knowledge or consent. Hit the jump for the details.

    To make matters worse, another person discovered that you could turn on WiFi and add a new Google account to the phone during that short time of unlimited access when the phone is in a call (as described above). Once the phone call ends, you return back to the home screen and can attempt to enter an incorrect lock code 5 times. The handset will warn you and a “did you forget your pattern” box appears at the bottom of the screen. Click on that link, enter in the credentials for the newly added Google account and voila, you can reset the unlock sequence and gain full access to the phone. A thief who had stolen your DROID (or your friend who had lifted it while you were sleeping) can easily gain full access to your phone, reset the unlock sequence, and completely shut you out.

    via TechCrunch and Google

    Comments