Samsung Galaxy Note II, S3 exposed to partial "Emergency Call" lock-screen bypasses

An attacker in possession of a locked device can activate some call functions via the “emergency call” feature

Two of Samsung’s flagship smartphones running Android 4.1.2 appear to be vulnerable to separate partial screen lock bypasses via the “Emergency Call” screen.

UK-based mobile enthusiast Terence Eden published details of the simple bypass, which allows an attacker to briefly launch apps and dial numbers on a Galaxy Note II that is locked. An attacker may also be able to view other apps, such as calendar, email or other widgets.

An attacker in possession of a locked device can activate some call functions via the “emergency call” feature. Once inside the emergency call screen, the attacker would need to press the emergency contacts icon, and then hold down the physical home key for a few seconds. This briefly displays the apps on the device’s home screen and allows an attacker to make calls to contacts on the “direct dial” widget.

Eden says he published the attack partly because it has “limited value” -- since the apps that can be launched, although running in the background, are quickly concealed by the screen lock -- but also because Samsung had failed to respond to his disclosure five days after he reported it.

The attack and impact of Eden's discovery is very similar to a separate flaw reported to Samsung in February by UK vulnerability researchers at MTI Technologies. It reported a “partial screen-lock bypass” affecting Samsung’s Galaxy S3, running the same version of Android, which could be achieved via the Emergency Call function.

On the S3, an attacker could issue commands using Samsung’s voice assistant, S-Voice, via the Emergency Call screen, even when the phone is locked. Access is limited to phone features and apps the user has enabled S-Voice to access.

“[O]nly the actual phone / keypad becomes available to a user. Any other applications launched, will still open and execute commands but are not visible to a user and the device will revert back to the lock screen,” MTI reported on a Samsung developer forum.

Like Eden’s attack, limited functionality was gained via the Emergency Call and Emergency Contacts features. Instead of holding the button down, the attacker would need to press the Home button twice to activate S-Voice and then tap the assistant’s icon.

The attacker can instruct S-Voice to dial any number or contact (if the name is known) or access Voicemail. Asking “what is number” or “address” will cause the device to return the address associated with a contact, which may be able to be gleaned by peaking at the SMS inbox if there is an icon on the home page.

Although the apps opened would be concealed by the lock, an attacker could, for example, update the victim’s social media accounts if S-Voice was configured to do so.

Tags samsungsecuritymobilitysmartphones


Comments are now closed

CSO Corporate Partners
  • f5
  • Webroot
  • Trend Micro
  • NetIQ
rhs_login_lockGet exclusive access to CSO, invitation only events, reports & analysis.
CSO Directory

Cloud Security for Enterprise

Encrypt data with easy-to-use key management for virtual, private, and public cloud environments with Trend Micro SecureCloud™.

Security Awareness Tip
Security ABC Guides

Warning: Tips for secure mobile holiday shopping

I’m dating myself, but I remember when holiday shopping involved pouring through ads in the Sunday paper, placing actual phone calls from tethered land lines to research product stock and availability, and actually driving places to pick things up. Now, holiday shoppers can do all of that from a smartphone or tablet in a few seconds, but there are some security pitfalls to be aware of.