21 Mar 2013

Android and iOS Screen Lock Bug Deemed Vulnerable

Samsung Android devices were deemed vulnerable by security researcher Terence Eden, as he bypassed the lock screen feature and gained access to the devices’ entire content.

Although the vulnerability was demonstrated on a Galaxy Note II, he’s confident that a Galaxy Note III would be equally affected. Exploiting the emergency call feature, he managed to access, modify and delete data from the device.

Apple’s iPhone 4 was also found vulnerable to a similar lock screen bug, enabling an attacker to browse and delete contacts. The news came shortly after updated iOS to version 6.1.3.

"They both exploit the emergency call system," said Diogo Monica, security engineer at mobile payments company, Square. "When an emergency call is made, it allows a logic bug to be exploited and let you access the screen without authentication."

Although the authentication manipulation error is restricted to some Samsung Android models and the iPhone 4, corporate users may still inadvertently expose sensitive data if targeted. By jacking the phone into a computer, it’s only a matter of minutes until its entire content is downloaded.

"When you try to access your corporate mail, it usually forces you to enable your lock screen," said Glenn Chisholm, CSO and vice president of cyber security firm Cylance. "If the corporation can't trust a lock screen to protect their corporate information ... that's a big problem."

Both manufacturers have been notified of the vulnerabilities, but no updates have yet been released to address them.