Two of Samsung’s flagship smartphones running Android 4.1.2 appear to be vulnerable to separate partial screen lock bypasses via the “Emergency Call” screen.
UK-based mobile enthusiast Terence Eden published details of the simple bypass, which allows an attacker to briefly launch apps and dial numbers on a Galaxy Note II that is locked. An attacker may also be able to view other apps, such as calendar, email or other widgets.
An attacker in possession of a locked device can activate some call functions via the “emergency call” feature. Once inside the emergency call screen, the attacker would need to press the emergency contacts icon, and then hold down the physical home key for a few seconds. This briefly displays the apps on the device’s home screen and allows an attacker to make calls to contacts on the “direct dial” widget.
Eden says he published the attack partly because it has “limited value” -- since the apps that can be launched, although running in the background, are quickly concealed by the screen lock -- but also because Samsung had failed to respond to his disclosure five days after he reported it.
The attack and impact of Eden's discovery is very similar to a separate flaw reported to Samsung in February by UK vulnerability researchers at MTI Technologies. It reported a “partial screen-lock bypass” affecting Samsung’s Galaxy S3, running the same version of Android, which could be achieved via the Emergency Call function.
On the S3, an attacker could issue commands using Samsung’s voice assistant, S-Voice, via the Emergency Call screen, even when the phone is locked. Access is limited to phone features and apps the user has enabled S-Voice to access.
“[O]nly the actual phone / keypad becomes available to a user. Any other applications launched, will still open and execute commands but are not visible to a user and the device will revert back to the lock screen,” MTI reported on a Samsung developer forum.
Like Eden’s attack, limited functionality was gained via the Emergency Call and Emergency Contacts features. Instead of holding the button down, the attacker would need to press the Home button twice to activate S-Voice and then tap the assistant’s icon.
The attacker can instruct S-Voice to dial any number or contact (if the name is known) or access Voicemail. Asking “what is number” or “address” will cause the device to return the address associated with a contact, which may be able to be gleaned by peaking at the SMS inbox if there is an icon on the home page.
Although the apps opened would be concealed by the lock, an attacker could, for example, update the victim’s social media accounts if S-Voice was configured to do so.