Security specialist Terence Eden explained that unauthorized users can press the “emergency call” and the “in case of an emergency” (ICE) contact list buttons and hold down the home button at the same time to cause the device’s home screen to pop up. From there a user can touch an app and gain access to it.
Because it’s an app-by-app access method (i.e., it does not give someone access to the entire homescreen and device all at once), he noted that the vulnerability is rather limited. For a hacker to make a call relies on the phone having a direct dial widget on the home screen, for instance.
“Running the apps is also of limited use - they go into the background immediately,” he said. “If the app performs an action on launch (like recording from the microphone, switching on the flash, playing music, interacting with a server) that action will occur.”
However, there’s a privacy concern that an attacker could see what apps are installed on a given home screen, or could see a calendar and a person’s emails if there is a widget installed that displays them.
“Rapidly tapping the home button will - depending on your launcher - allow you to see what is on every home screen,” Eden said. “Using an external video camera you should be able to clearly see all the user's calendar and email widgets if they have enabled them.”
Eden tested the bypass on two Galaxy Note II N7100 devices running the latest UK variant of Android 4.1.2. Both ran the stock launcher and lock screen, but one device was rooted and the other was factory fresh.
So far, Samsung has not responded to Eden’s disclosure, he said. “I know that people within Samsung have been made aware of this bug,” he noted. “Despite that, five days later, and Samsung's security team have not made any contact with me to discuss this bug or its disclosure.”
Apple saw two lock-screen bypass vulnerabilities pop up in February. A bug in iOS 6.1 allows a hacker with physical access to an iPhone 5 to gain access to the phone app and place calls, listen to voice mails and view photos in the contacts section.