A Security Issue in Android That Remains Unfixed – Pull-down Menu On Lock Screen
Having your phone lying around when your kids are playing with everything they find is a great security test. They immediately discover new features and ways to go beyond the usual flow.
This is the way I recently discovered a security issue with Android. Apparently, even if the phone is locked, the pull-down menu with quick settings works. Also, volume control works. Not every functionality inside the quick settings menu works fully while unlocked, but you can disable mobile data and Wi-Fi, you can turn on your hotspot, you can switch to Airplane mode.
While this has been pointed out on Google Pixel forums, on reddit and Stack Exchange, it has not been fixed in stock Android. Different manufacturers seem to have acknowledged the issue in their custom ROMs, but that’s not a reliable long-term solution.
Let me explain why this is an issue. First, it breaks the assumption that when the phone is locked nothing works. Breaking user assumptions is bad by itself.
Second, it allows criminals to steal your phone and put in in Airplane mode, thus disabling any ability to track the phone – either through “find my phone” services, or by the police through mobile carriers. They can silence the phone, so that it’s not found with “ring my phone” functionality. It’s true that an attacker can just take out the SIM card, but having the Wi-Fi on still allows tracking using wifi networks through which the phone passes.
Third, the hotspot (similar issues go with Bluetooth). Allowing a connection can be used to attack the device. It’s not trivial, but it’s not impossible either. It can also be used to do all sorts of network attacks on other devices connected to the hotspot (e.g. you enable the hotspot, a laptop connects automatically, and you execute an APR poisoning attack). The hotspot also allows attackers to use a device to commit online crimes and frame the owner. Especially if they do not steal the phone, but leave it lying where it originally was, just with the hotspot turned on. Of course, they would need to get the password for the hotspot, but this can be obtained through social engineering.
The interesting thing is that when you use Google’s Family Link to lock a device that’s given to a child, the pull-down menu doesn’t work. So the basic idea that “once locked, nothing should be accessible” is there, it’s just not implemented in the default use-case.
While the things described above are indeed edge-cases and may be far fetched, I think they should be fixed. The more functionality is available on a locked phone, the more attack surface it has (including for the exploitation of 0days).
Having your phone lying around when your kids are playing with everything they find is a great security test. They immediately discover new features and ways to go beyond the usual flow.
This is the way I recently discovered a security issue with Android. Apparently, even if the phone is locked, the pull-down menu with quick settings works. Also, volume control works. Not every functionality inside the quick settings menu works fully while unlocked, but you can disable mobile data and Wi-Fi, you can turn on your hotspot, you can switch to Airplane mode.
While this has been pointed out on Google Pixel forums, on reddit and Stack Exchange, it has not been fixed in stock Android. Different manufacturers seem to have acknowledged the issue in their custom ROMs, but that’s not a reliable long-term solution.
Let me explain why this is an issue. First, it breaks the assumption that when the phone is locked nothing works. Breaking user assumptions is bad by itself.
Second, it allows criminals to steal your phone and put in in Airplane mode, thus disabling any ability to track the phone – either through “find my phone” services, or by the police through mobile carriers. They can silence the phone, so that it’s not found with “ring my phone” functionality. It’s true that an attacker can just take out the SIM card, but having the Wi-Fi on still allows tracking using wifi networks through which the phone passes.
Third, the hotspot (similar issues go with Bluetooth). Allowing a connection can be used to attack the device. It’s not trivial, but it’s not impossible either. It can also be used to do all sorts of network attacks on other devices connected to the hotspot (e.g. you enable the hotspot, a laptop connects automatically, and you execute an APR poisoning attack). The hotspot also allows attackers to use a device to commit online crimes and frame the owner. Especially if they do not steal the phone, but leave it lying where it originally was, just with the hotspot turned on. Of course, they would need to get the password for the hotspot, but this can be obtained through social engineering.
The interesting thing is that when you use Google’s Family Link to lock a device that’s given to a child, the pull-down menu doesn’t work. So the basic idea that “once locked, nothing should be accessible” is there, it’s just not implemented in the default use-case.
While the things described above are indeed edge-cases and may be far fetched, I think they should be fixed. The more functionality is available on a locked phone, the more attack surface it has (including for the exploitation of 0days).
You are totally right about that, especially on the attack surface part.
AOSP would only have to adopt what GraphenOS already implemented, as GrapheneOS does not allow interaction with the Pull-Down Menue.
Hi Bozhidar, your post made us think to take two features from our Cerberus Anti-theft service and create an app called Cerberus Lock Screen Protector. It can block the quick settings and power menu from the lock screen, it is free, with no ads and does not collect any data – besides anonymous data from Firebase Analytics/Crashlytics to improve performance.
I apologize for the shameless plug, but in case you are interested you can install it from here: https://play.google.com/store/apps/details?id=com.lsdroid.lsp
I used to hide the Airplane and Mobile data tiles from this menu. So, leaving no option to turn off mobile data with an e-Sim could ease things.
But now, the Mobile Data tile was replaced by the new Internet tile (mobile data and wifi in one space) making it harder to choose between having an easy access to Wifi networks or staying safer against theft.
Some people discovered a temporary way to bring back the old tiles using ADB, but a simple reset will undo this solution.
Luckily, I found this amazing app called Cerberus that tries its best to fully lock the phone if the pull-down menu or the power menu are used on the locked screen, making it very difficult for the thief to use it. The downside for me is that the Flashlight tile is now only usable with the screen unlocked. Anyways, this is a minor problem.
Yeah, this is completely insane, and a massive security hole.
Any idiot can just disable your networking, and kill the phone’s notifications, so you will miss important messages, reminders, PIM data won’t get synced to your server, and the phone can be made to excessively waste battery too.
At this point, I suspect it is deliberate. Like say the good friends of NSA, FSB, China, Mossad, etc, demanding it for some stupid bureaucratic power trip. Especially since apparenty, iOS has the same “bug”.
(Since every *evil person ever* played the “I’m such a dummy” card because it plays right into the wishful denial of black-eyers, the correct way around for the saying is: Never attribute to stupidity, what can be attributed to malice! (Also, stupidity *is* a form of malice, by definition, anyway!)
I hope there will be an actually affordable open and modular phone in the future, so I can just install Gentoo, and run my own scripts, for a billion times more comfort as the psychopathic kraken would ever offer its livestock.
Incredibly, this serious security flaw remains unresolved to this day! I’d have thought there’d be *SOME* kind of stock functionality so their devices don’t come with a pre-built tool thieves can use to disable the majority of protections in ‘Find My Device’.
I guess corporate sponsored theft might be an effective way to drive phone sales 😁 (I joke, of course – before ppl get their knickers in a knot!).
Whilst it sounds like the Pixel 8 (Pro only, I believe) will remain accessible to ‘Find My Device’ tools even when powered down. That’s great news (sans the privacy issues) but it’s pretty rough to expect everyone else to just suck it up e.g. those who can’t afford to buy every new device as it’s released. Google continues to release software updates for it’s devices well beyond what most device manufacturers offer – my opinion is they should make security and safety related feature updates for the life of device. I understand those constrained by hardware requirements/incompatibility and even special features like better photo editing capabilities etc (at least for a period before broader deployment) but not this..