Verizon Droid pattern lock bypass

One of the interesting features of Android smart-phones is the pattern lock screen.  Instead of a four digit PIN, the phone is secured with a “pattern” of four to nine dots, arranged in a 3 by 3 square.  This results in a possible 3,024 to 362,880 different combinations.  Sounds pretty secure, right?

Unfortunately, a problem exists with Verizon’s Motorola Droid that allows a person to easily bypass the phone’s pattern lock screen.  The problem so far, seems to be particular to the Droid’s version 2.0.1 software and has not been seen in any other Android phones, including the (Verizon) Droid Eris.  The Nexus One, which uses version 2.1 of the Android software, has not yet been tested for this problem.

Normally when the phone is locked, an unlock pattern is required to access any applications or data.  The exception is for incoming calls; in which case the phone can be answered, without the need for the unlock pattern.

It has been observed that on other Android phones, if you try to access any applications or data, while the incoming call is in progress, you will be asked for the unlock pattern.  However, on the Droid, if you select the “Back” icon during the call you are taken to the “Home” screen without being asked for the unlock pattern.

Once you are at the Droid’s “Home” screen, you have full access to all applications and data; for as long as the incoming call is in progress, and you do not select the “Home” icon.  When the call ends, or you select the “Home” icon, the Droid asks you to enter the unlock pattern.

The following procedure will demonstrate the observed problem on the Droid, and any other Android phones that might also have this problem:

  1. Enable the pattern lock screen on your Android phone.
  2. From another phone, call your phone.
  3. Answer the call, without using the unlock pattern.
  4. Select the “Back” icon.

As long as the call is “in progress,” and you do not select the “Home” icon, you should have full access to the phone’s applications and data.

Until this problem is fixed, anyone who knows your phone number and has physical access to the phone, can have complete access to whatever personal information the phone contains or has access to.  With non smart-phones, this would normally be limited to just contact, schedule and text messages.  But depending upon the kinds of applications you might be using, the privacy breach might also include e-mail messages and financial information; such as credit card and bank account numbers, passwords and PIN.

Thanks to the folks at LA 2600 for testing this on their phones for me.

Update — Further reading…

Spread the word!
  • tonyshoemaker

    Interestingly enough, we discovered that if you have a blue tooth device enabled and paired with the Droid, this vulnerability is non-existent. But once we disabled blue tooth on the Droid, the vulnerability worked.

    • The Assurer

      Confirmed. When a Bluetooth device is paired AND CONNECTED with the Droid, the vulnerability does not exist. Has only been verified with devices using the headset,hands free accessory and stereo profiles.

  • Very sad to see such a simple way to bypass the security mechanism that people rely on.

    I’m sure it won’t be long before they fix this… they have too.

    There is a big discussion about it here:

  • The Assurer

    For the benefit of those who want to know how I came up with the number of possible combinations (permutations, actually) I used the following calculation. For the minimum of four dots, 9 x 8 x 7 x 6 equals 3,024. For the maximum of nine dots, 9 x 8 x 7 x 6 x 5 x 4 x 3 x 2 x 1 equals 362,880.