The vulnerability dubbed as “Elevation of Privilege Vulnerability in Lockscreen” has been coded as CVE-2015-3860.

Below the steps to unlock the screen by forcing the camera app crash.

• Get the device and open the Emergency dialer screen.
• Type a long string of numbers or special characters in the input field and copy-n-paste a long string continuously till its limit exhausts.
• Now, copy that large string.
• Open up the camera app accessible without a lock.
• Drag the notification bar and push the settings icon, which will show a prompt for the password.
• Now, paste the earlier copied string continuously to the input field of the password, to create an even larger string.
• Come back to camera and divert yourself towards clicking pictures or increasing/decreasing the volume button with simultaneously tapping the password input field containing the large string in multiple places.

The Android user will notice the soft buttons (home and back button) at the bottom of the screen will disappear when the camera app is going to become unresponsive. Suddenly the app will crash and get user to the Home Screen of the device.

Below the Video PoC of the hack.

Google has already released a patch for its Nexus devices.

Pierluigi Paganini

(Security Affairs – Android 5.x, hacking)