Smart unlock , where Android users can unlock their phones based on their location or a connected device is to circumvent with Bluetooth. The bug in Android 5.1 fixed. That claim security researchers.
At the DEF CON hacker conference in Las Vegas did security researchers Matteo Beccaro and Matteo Collura explained how a vervalse bluetooth connection to the smart unlock functionality can be fooled. Although Google has solved the problem in Android 5.1, users of Android 5.0 is still vulnerable, say the researchers. Android 5.0 is much more popular than 5.1 and is at 15.5 percent of Android devices, from 2.6 percent to 5.1.
The smart unlock functionality requires the presence pre ingstelde bluetooth connection to unlock a phone without having to enter a code, such as a smart watch. The functionality is intended to make the unlocking of a phone more easily, and yet retain some security. The presence of the Bluetooth device in Android 5.0 can be spoofed .
In order to do this must be guessed four digits of the MAC address, but Android devices that search for a Bluetooth connection to send a beacon from which three of those four digits are present. The fourth digit can be guessed through bruteforcing ; before having to perform only 256 attempts.
The attacker must then send fake bluetooth communciation with the conscious mac address to the Android device in question, and that device thinks the device is paired. An attacker could do that if he has a phone in hands and wants to access the files on the phone but do not have the access features
There is one limitation:. Via Bluetooth are also authentication messages exchanged between the Android device and the associated extension. Those reports are incorrect in a simulated Bluetooth connection. Some time after unlocking the Android phone therefore disconnects, but the attacker already have access to the device. The reason that the attack can not be performed on devices with Android 5.1 is that Android version authentication messages all exchanges when linking and a forged link so notice right away.
It is far from the first security issue Android this week in the spotlight. This week, there is much attention to the bug in video engine Stage Fright and several bugs in the remote support comparison tools from manufacturers under the name Certifi-gate.
No comments:
Post a Comment