If you've got an Android 5 smartphone with anything but the very latest version of Lollipop on it, it's best to use a PIN or pattern to secure your lock-screen – because there's a trivial bypass for its password protection.
The vulnerability, details of which were published here by University of Texas researchers on Tuesday, allows miscreants to sidestep lock-screens on Android 5 devices, unless they've been fully patched to version 5.1.1 including last week's security updates.
"By manipulating a sufficiently large string in the password field when the camera app is active, an attacker is able to destabilize the lockscreen, causing it to crash to the home screen," the researchers write.
Yes, by typing in too many characters, you can kill off the security mechanism and gain full access to the device, even if its filesystem is encrypted – miscreants can exploit this to run any application, or enable
adb developer access to the device.
The attack only works if the gadget has a lock-screen password set, the researchers note: the attack doesn't work against pattern or PIN setups.
Google patched the flaw here. Nexus users who install the patch themselves can protect themselves – everyone else will have to wait for their network carrier to emit the updates over the air. T-Mobile US, for one, has already started doing this.
You can watch the bug being exploited in the video below. ®