March 21, 2013 report
Researcher says Samsung will release patch for lockscreen hole
(Phys.org) —A security researcher, describing some of his about-me features as "mobile enthusiast" and "Linux fiddler," this week discovered a security hole on an Android Samsung phone. In a March 20 posting on his blog, Terence Eden said he found a hole that would allow hackers to gain control of a phone's apps, dialer, and settings, and, here's the kicker, even though the phone is locked with password, PIN or other security approach. Potential trouble-making by an intruder could start with the emergency dialer, with certain steps that could result in allowing the intruder to interact with the device and disable the lockscreen as well. Eden discovered the flaw on a Galaxy Note II running Android 4.1.2.
While the ploy only allows the intruder a brief time to interact, repeats of the process would result in the intruder able to do unwelcome tasks such as making calls and viewing data. (Actually, noted the Naked Security blog, success in making headway with the glitch would require "lightning-fast reflexes" as well as a cancelled call to emergency services.)
Eden said, in his blog posting, "I have discovered another security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is 'securely' locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing."
All Android phones, however, are not vulnerable to the same hole, according to Eden. He said the problem does not occur on stock Android. "I have only tested it on a Galaxy Note II running 4.1.2 - I believe it should work on Samsung Galaxy SIII. It may work on other devices from Samsung."
Samsung is paying attention to the discovery. Eden reported his discovery to Samsung late last month and they are working on a patch, he said, "which they assure me will be released shortly."
© 2013 Phys.org