(CNNMoney) — The latest Android phone flaw is sheer stupidity.
Locked phones require a passcode. But there’s a way to get around that. Just type in an insanely long password. That overloads the computer, which redirects you to the phone’s home screen.
It’s a time-consuming hack, but it’s actually easy to pull off.
In a report published Tuesday, computer security researcher John Gordon documented the vulnerability and posted a video of the hack. It only affects smartphones using the latest version of the Android operating system, Lollipop.
It’s basically a game of copy-and-paste.
From the locked screen, open the phone’s “Emergency Call” feature. Type a few characters, then copy-and-paste the text repeatedly. The character “string” grows exponentially, so it quickly becomes close to 40,960 characters long.
Then open the phone’s camera app and prompt the phone to request a password. Paste the super long character string a few times until the system crashes. (Based on Gordon’s video, it looks like 163,840 total characters.)
Wait maybe five minutes, and the phone goes straight to the unlocked home screen.
Gordon warned Google about the vulnerability back in August, so the company released a patch for the flaw last week. But phones will remain vulnerable until they’re updated with the latest software patch.
The patch is already available for Google’s own line of phones — the various Nexus models. But there’s no telling when it’ll reach Android devices made by Samsung, LG and others. Blame the Android’s fractured updating system, which is slowed down by phone manufacturers and cellphone network carriers.
However, according to Extreme Tech, the flaw relies on Google’s default Android lock screen. Other manufacturers often modify their lock screens and camera apps. So many devices may not be vulnerable.
Google has acknowledged the flaw, saying that the hack lets someone who grabs your phone “view contact data, phone logs, SMS messages, and other data that is normally protected.”
Timeline from Gordon’s post:
- 2015-06-25: Vulnerability reported privately to Android security team.
- 2015-07-01: Android confirms vulnerability can be reproduced, assigns LOW severity issue.
- 2015-07-15: Android promotes issue to MODERATE severity.
- 2015-08-13: Android commits a patch to fix vulnerability.
- 2015-09-09: Android releases 5.1.1 build LMY48M containing fix.
- 2015-09-14: Android marks issue public.
- 2015-09-15: UT ISO publishes this writeup.