SECURITY FLAW! Google Voice Actions usable on lock screen!

Discussion in 'Motorola Droid 2' started by barakaspeed, Oct 12, 2010.

  1. barakaspeed
    Offline

    barakaspeed New Member

    Joined:
    Jan 18, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    I just noticed today accidentally that you can press and hold the search button on the lock screen and perform anything Google Voice Actions is capable of. I am using a Droid 2 unrooted. This may affect the Droid X as well.

    This is a huge security flaw in Motorola's modified pattern/PIN lock screen. Hopefully this thread garnishes enough attention so that this can be patched soon!


    Steps to reproduce:

    1. Lock your screen
    2. Press and hold the search button "magnifying glass"
    3. Speak any voice action and the phone will respond. Note: you will not get any visual or audible cues that it is working, but it is!
     
    Last edited: Oct 13, 2010
  2. Darkseider
    Offline

    Darkseider Senior Member

    Joined:
    Mar 12, 2010
    Messages:
    1,863
    Likes Received:
    0
    Trophy Points:
    66
    Ratings:
    +0
    If you whisper sweet nothings to it will it light the LED red as if its' blushing?
     
  3. Canadroid
    Offline

    Canadroid Member

    Joined:
    Sep 21, 2010
    Messages:
    276
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    Only if they're really dirty sweet nothings.

    Interesting, will try this in a little bit. Is it possible this was intended? The lock screen is not a true security layer without additional settings activated anyways, right? I have not set up a passcode or 'tic-tac-toe' style unlocker yet.
     
  4. Numbskill
    Offline

    Numbskill Member

    Joined:
    Oct 12, 2010
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    REDLANDS CALIFORNIA
    Ratings:
    +0
    its true. If you unlock the screen after you try it, the "speak now" screen will be open.

    I don't know if i care, honestly.
     
  5. plutonium0587
    Offline

    plutonium0587 Member

    Joined:
    Sep 6, 2010
    Messages:
    113
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    This may actually be a useful feature when driving or something.
     
  6. Cyberpolice
    Offline

    Cyberpolice Member

    Joined:
    Jul 20, 2010
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    Today, we install application that we grant access to our personal contact and other stuff in the phone. I am not sure if this is a concern to me.

    Sent from my DROIDX using Tapatalk
     
  7. barakaspeed
    Offline

    barakaspeed New Member

    Joined:
    Jan 18, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    I hope this 'feature' is actually a bug and gets squashed. I feel a lock screen is just that, a locking mechanism designed to prevent unauthorized access to any level of functionality of the phone that has the potential to incur charges and/or fraud.
     
  8. Redflea
    Offline

    Redflea Silver Member

    Joined:
    Nov 18, 2009
    Messages:
    1,954
    Likes Received:
    3
    Trophy Points:
    103
    Ratings:
    +3
    Clarify what you mean by "lock screen."

    Do you mean the slide to unlock lock screen that always appears?

    Or do you mean this works when the D2 has been locked using a pattern or PIN lock set up in settings>Location and Security.

    If the former, this is a non-issue, as the standard lock screen has no security whatsoever.

    If you mean the pattern/PIN lock screen, then this is a real security flaw.
     
  9. barakaspeed
    Offline

    barakaspeed New Member

    Joined:
    Jan 18, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    Happens in both scenarios. This is why I'm posting so the word can get out.
     
  10. dast
    Offline

    dast Member

    Joined:
    Sep 4, 2010
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    When we say Google Voice Actions, are we referring to the stock "Voice Commands" app that comes with the D2?
     
  11. barakaspeed
    Offline

    barakaspeed New Member

    Joined:
    Jan 18, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    No, this is the Google Search app, that can be downloaded from the market place. It adds new functionality, called Google Voice Actions. You can trigger it by press and holding the magnifying glass.

    See:
    Voice Actions for Android
     
  12. dast
    Offline

    dast Member

    Joined:
    Sep 4, 2010
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    Gotcha.

    I tried this on my rooted D2 (no custom ROM tho) with the default "Voice Commands" stock app and it is not affected by this bug.

    So the workaround would be to uninstall Voice Actions until a fix is available.

    Good catch! This is a serious bug.
     
  13. barakaspeed
    Offline

    barakaspeed New Member

    Joined:
    Jan 18, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    It's not the default "Voice Commands" app, but the google voice search (actions) that gets invoked by press and holding the magnifying glass.
     
  14. dast
    Offline

    dast Member

    Joined:
    Sep 4, 2010
    Messages:
    132
    Likes Received:
    0
    Trophy Points:
    16
    Ratings:
    +0
    Right right, I got off track with the Voice Commands thing. That bugger ain't what we're interested in.

    One bit I'm still trying to understand, though. Is this an issue on a stock D2 (without any extra apps installed) or do you have to download some extra component to be vulnerable?
     
  15. barakaspeed
    Offline

    barakaspeed New Member

    Joined:
    Jan 18, 2010
    Messages:
    20
    Likes Received:
    0
    Trophy Points:
    1
    Ratings:
    +0
    Good question. I quickly removed the latest update to Google Search and my D2 reverted back to the stock version of Google Search. The issue still exists.

    I don't believe this to be an issue with Google Search, rather with Motorola's Lock Screen implementation that doesn't prohibit the magnifying glass button.
     
Search tags for this page

get past pattern lock android

,
google now voice search lock screen
,
how to get past android pattern lock
,
how to use voice actions from lockscreen
,
open google voice when my screen is locked
,
voice feature locked my phone
,
voice lock net
,
voice search lock screen pin
,
voice tag with screen lock
,
what does it mean when you galaxy s5 phone say unauthorized actions have been detected