what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Samsung Galaxy S3 Screen-Lock Bypass

Samsung Galaxy S3 Screen-Lock Bypass
Posted Feb 22, 2013
Authored by MTI Technology | Site mti.com

The Samsung Galaxy S3 w/ Android version 4.1.2 suffers from a bypass vulnerability due to S-Voice allowing the launch of any command even when the screen is locked.

tags | exploit, bypass
SHA-256 | f859a2a4bfd30be0e55663fe5c258853b5ad3a563064a6354107e8e25a8fc7cc

Samsung Galaxy S3 Screen-Lock Bypass

Change Mirror Download
MTI Technology – Vulnerability Research Team
www.mti.com
ukpentestinfo"at"mti.com

Samsung Galaxy S3 – partial screen-lock bypass


Date found:
17th Feb 2012

Vendor Notified:
20th Feb 2012

Vendor Affected:
Samsung

Device:
Galaxy S3

Model:
GT-19300

OS:
Android 4.1.2

Kernel Version:
3.0.31-742798


Affects:

Only tested on Samsung Galaxy SIII kernel version 3.0.31-742798 but it is possible any Samsung device that allows emergency contacts to be used and has S-Voice present could be vulnerable.

It is a Samsung specific bug not an Android one,


I. Background
MTI technology recently conducted a 45 day internal research program aimed at locating new attacks and vulnerabilities in Android devices. Specifically the Samsung S3 and LG Nexus 4 were tested. Several new issues where located and most of them have or will be reported to the relevant vendors.

MTI will be releasing new advisories in cooperation with the relevant vendors.


II. Overview

Partial device functionality is available to a user from a locked S3, which permits certain activities to be carried out.


III. Problem Description

It is possible to access any functionality available from the S-Voice utility on a Samsung S3 when the phone it locked and a PIN (or other locking method) is set. Any command that can be issued via S-Voice can be issued when the phone is locked; however, only the actual phone / keypad becomes available to a user. Any other applications launched, will still open and execute commands but are not visible to a user and the device will revert back to the lock screen.

To access S-Voice the following steps are followed (assuming the phone is locked with a PIN number):

Press the power / home button to turn phone on,
Swipe the screen to access the PIN entry screen,
Select Emergency Call
Select Emergency Contacts (bottom left icon)
On the Emergency Contact screen, press the Home button twice in quick succession (to active S-Voice)
As soon as the Home button is pressed twice, tap the bottom centre of the screen (the S-Voice Microphone button)
Issue any S-Voice Command.

Commands such as the following can be issued:

Call 12345 - will active the phone, dial the number and display it to a user. The command can be used to call any user, or contact (if the name is known) or even Voicemail if Voicemail has been saved as a contact.
What is number / address – will cause S-Voice to say the number or address associated with a contact
Message
Turn Wi-Fi On / off
Turn Bluetooth on / off
What is on my calendar
Go to Google.com

The S-Voice help screen can be used to obtain a listing of supported / documented commands. MTI were not able to locate any commands not listed in this help page.

A crude method to enumerate contact names is to press the home button from the Emergency Contacts screen and quickly press the message / SMS icon (if stored on the main page) this will briefly display the users SMS inbox, which will reveal contact names.

IV. Impact
Low to Medium depending on the information stored on a phone. A malicious user who has access to a locked S3 would be able to obtain information from the schedule / calendar, make phone calls to any phone number (such as a premium rate number), message contacts, update a user’s Facebook / twitter status (if S-Voice is configured to do so), enumerate contact addresses and phone numbers, active Bluetooth and Wi-Fi.


V. Workaround
In S-Voice settings, disable the ‘Open S-Voice by double pressing the Home Key’ setting.

VI. Solution

Awaiting vendor response. Vendor seems to require Vulnerability Disclosures to be posted in their public developers forum:

http://developer.samsung.com/forum/thread/samsung-s3---partial-screen-lock-bypass/77/222426?boardName=GeneralB&startId=zzzzz~

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close