By Molly McLaughlin
Android OS Expert
On the heels of Android's Stagefright flaw,
for which Google issued a patch that may leave some devices vulnerable,
researchers at the University of Texas have discovered another Android
security flaw, this time with the lock screen. This so-called lock
screen flaw gives hackers a way to access your locked phone with knowing
your password. In order for a hacker to gain access to your data in
this way, they have to have physical access to your device; your device must run Lollipop;
and you must use a password to unlock your screen. Here's how your
smartphone could be breached and how you can protect yourself while you
wait for the security patch to be released to your device.
How the Hack Works
The
big difference between this flaw and Stagefright is that would-be
hackers must you’re your phone in hand. The Stagefright breach occurs
via a corrupted multimedia message that you don’t even have to open.
(I've already written about how to protect your device from Stagefright.)
Once a hackers get their hand on your smartphone, they can bypass
your lock screen by opening the camera app, and then inputting a
too-long password, which in some cases will cause the lock screen to
crash, and go straight to your home screen. Thus, the hacker can access
all of your apps and private information. The good news? Google reports that it hasn't detected the usage of this exploit yet, but that doesn't mean you shouldn't protect yourself.
How to Protect Your Device
If
your smartphone runs Lollipop and you use a password to unlock your
phone, you could be vulnerable if your phone gets out of your hands.
Google is already rolling out a fix for Nexus users, since it can send
updates directly to these devices. However, everyone else will have to
wait for their manufacturer or carrier to prepare and send out their own
updates, which could take weeks.
So what can you do in the
meantime? For now, you should change your unlock method to either a pin
number or unlock pattern, neither of which can be breached in this
manner. It's also worth enabling the Android Device Manager, which can
track the location of your phone, and enable you to lock it, erase data,
or make it ring if you think you left it nearby. HTC, Motorola, and
Samsung each offer their own tracking services and there are also a
number of third-party apps available.
If you're tired of waiting weeks and weeks to receive important OS and security updates, rooting your phone
is always an option. When you root your phone, you get more control
over it, and you can download updates without waiting for your carrier
or manufacturer; for instance, the second Stagefright security patch
from Google (which I still haven't received) and the lock screen fix. Be
sure to look at the pros and cons of rooting first.
Security Updates
Speaking
of security updates, recently Google, LG, and Samsung pledged to begin
rolling out monthly security updates. Google has already started rolling
out regular updates to Nexus users, but so far LG and Samsung have yet
to begin, as arstechnica.com reports. Here's hoping LG, Samsung, and the wireless carriers get the ball rolling before another security hole is discovered.
source: about.com
