Researchers crack Smart Lock feature on Android 5.0

By admin On Aug 9, 2015

Spread the love

Smart unlock, where Android users can unlock their phone based on their location or a paired device, can be circumvented in combination with Bluetooth. The bug has been fixed in Android 5.1. That’s what security researchers claim.

At the DEF CON hacker conference in Las Vegas, security researchers Matteo Beccaro and Matteo Collura explained how a fake Bluetooth connection can be used to trick the smart unlock functionality. Although Google has fixed the problem in Android 5.1, Android 5.0 users are still vulnerable, the researchers say. Android 5.0 is much more popular than 5.1 and accounts for 15.5 percent of Android devices, compared to 2.6 percent for 5.1.

The smart unlock functionality requires the presence of a pre-set bluetooth connection to unlock a phone without entering a code, for example a smartwatch. The functionality is intended to make unlocking a phone easier, while still maintaining some security. However, the presence of the bluetooth device can be spoofed in Android 5.0.

To be able to do that, numbers from the MAC address have to be guessed, but Android devices that search for a bluetooth connection send out a beacon in which three of those four numbers are present. The fourth number can be guessed via brute forcing; only 256 attempts need to be made for this.

The attacker then has to send forged Bluetooth communication packets with the targeted MAC address to the Android device in question, after which that device believes that the device is paired. A malicious person could do that if they have a phone in their hands and want to access the files on the phone, but don’t have the passcode.

There is, however, a limitation: verification messages are also exchanged between the Android device and the paired device via Bluetooth. Those messages are not correct with a simulated bluetooth connection. Some time after unlocking, the Android phone therefore disconnects, but the attacker already has access to the device. The reason that the attack cannot be carried out on devices with Android 5.1 is that that Android version already exchanges the verification messages during pairing and thus immediately detects a forged connection.

It’s far from the first Android security issue to draw attention this week. This week there is also a lot of attention for the bug in the video engine Stagefright and various bugs in the remote support tools of manufacturers under the name Certifi-gate.