Password Security Vulnerability in Andriod 4.3
Google’s Android Device Manager has only been locating phones for over a month, but that’s not stopping Mountain View from adding new features. Android Police spotted that the online dashboard now allows users to remotely lock their smartphones with a new PIN code, overriding previous screen unlock measures. this mechanism allows user to override the existing device lock scheme and set password scheme for better security.
But Recently, Curesec Research Team from Germany has discovered an interesting vulnerability (CVE-2013-6271) in Android 4.3 that allows a rogue app to remove all existing device locks activated by a user.
‘The bug exists on the βcom.android.settings.ChooseLockGeneric classβ. This class is used to allow the user to modify the type of lock mechanism the device should have.’ CRT team says in a blog post, Android OS has several device lock mechanisms like PIN, Password, Gesture and even faces recognition to lock and unlock a device. For modification in password settings, the device asks the user for confirmation of the previous lock.
But if some malicious application is installed on the device, it could exploit the flaw to unlock the device without the knowledge of previous password. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks
But if some malicious application is installed on the device, it could exploit the flaw to unlock the device without the knowledge of previous password. Attackers can exploit this issue to bypass certain security restrictions to perform unauthorized actions. This may aid in further attacks
Curesec Team has already reported the vulnerability to Google Android Security Team three times, but unfortulatly Google is not responding them about this issue. Curesec Team has released a proof of concept application (CRT-Removelocks.apk) and Source code to demonstrate the vulnerability.I installed and tested the application on my Samsung Galaxy S4 with Android 4.3 Jelly beans, and seriously – Just one single click on ‘Remove Lock Now’, it immediately removed my Pattern lock from the device.
TF