Sunday, October 02, 2011

AT&T Galaxy S II security bug not a vulnerability after all

An Android manufacturer is in trouble over a security issues in its product, one that has just been released. The handset maker is Samsung, the world's largest Android handset maker globally, but the bug isn't anywhere near as bad as it was first advertised.

It's a security flaw in its Galaxy S II phone, but it seems as though it's only in the AT&T version, not the version that was released on Sept. 16 by Sprint. The AT&T version went on sale Sunday.

The flaw isn't what is being reported, however. As described, it seems like it's an easy security hole to exploit. The bug exists for both PIN and pattern-locked devices. You can seemingly unlock without either by waking up the device, then letting the screen time out again. Wake it up again, and viola: no security prompt, and you're in.

This bug only happens if the device has been unlocked at least once since the last time it was powered up.

Samsung has admitted the flaw, saying,

"Samsung and AT&T are aware of the user interface issue on the Galaxy S II with AT&T. Currently, when using a security screen lock on the device, the default setting is for a screen timeout. If a user presses the power button on the device after the timeout period it will always require a password. If a user presses the power button on the phone before the timeout period, the device requests a password – but the password is not actually necessary to unlock it.

"Samsung and AT&T are investigating a permanent solution. In the meantime, owners of the Galaxy S II can remedy the situation by re-setting their time-out screen to the “immediately” setting. This is done by going to the Settings ->Location and Security->Screen unlock settings->Timeout->Immediately."

Why does this fix it? It sounds strange. It fixes it because it's not what you're thinking.

The bug is not allowing you in without security per se. It is, but not for the reason you think. The actual bug is that the security prompt comes up at all.

What’s Your Credit Score?The default timing for the device lock on the Galaxy S II is 5 minutes. What's actually happening is that the lock prompt is coming up when it shouldn't. The second time you try to enter the device, the prompt doesn't come up.

Following Samsung's instructions "fixes" the issue because it means when you think the device is locked, it really is. So, you can use Samsung's instructions to fix the "bug," or you can leave it as is and realize that letting the screen time out again might be easier than having to enter your PIN or pattern unlock code, at least until this bug is fixed with a minor ROM update.

It's not really a vulnerability.  In a sense, and fully tongue-in-cheek, the device is really being overprotective.

You can see the bug in a video below.

No comments: