Sunday, 20 September 2015

Expert: Lock Screen Phone Will Never Be Watertight

This week it was announced that a leak in Android 5.x makes it possible to bypass the lock screen, but as a developer of the Plasma Phone this kind of problem will always be present and screen lock can not provide watertight protection against a physical attacker.

The Android vulnerability has been patched by Google, but the update has not yet appeared for all the different models and manufacturers. Unlike a screen lock on the desktop may apply for a different phone lines. So the phone should still be able to accept incoming calls, even if the screen is locked. In addition, there must be interaction with notifications, for example, an alarm clock, are possible. Also, it should be possible to make emergency calls on a locked phone.

"These exceptions conflict with the requirements of our lock on the desktop. That is, blocking input devices, so an attacker can not communicate with the active session," said developer Martin Grasslin. The requirements set that it must still be possible at a locked phone to communicate with a running session and also be input devices, such as the keyboard, not blocked.

Grasslin has in recent months been thinking a lot about how these requirements can be combined without compromising on safety and has not found a solution yet. "The only thing I see is that if we applications such as the phone app, let's bypass the lock screen, we actually add a hole on the architecture and if there is a hole to penetrate you thereby. There will always be a way to bypass security, "he noted.

Target lock screen

According Grasslin must be also looked at the intention of the lock screen. On the desktop computer is simple, namely that getting someone with a mouse or keyboard can not access the active, locked session. For a phone this is different, especially if an attacker has physical access. "If someone has enough time, it is unlikely that the attacker can be kept outside and the screen lock is probably not the weakest link in the chain."

It is therefore not possible to blocking input devices, but that people can not see the contents of the phone during an unguarded moment. In this case the now unveiled Android leak not really matter, as it takes some time to execute. "The screen lock prevents access by ignorant people and also by people who only have the same access to it. It's only a problem in situations where it would not matter much, because if you have the device already physically in your possession," said Grasslin.

No comments:

Post a Comment