Turns out you don't need to be a technical wizard to break an Android lock-screen password.
On certain Android phones running unpatched versions of the OS, inputting hundreds of characters for a password on the device's lock screen causes the smartphone to throw up the white flag and authenticate a user—no matter the combination of characters you try.
Before we describe the attack, know that the issue has been fixed in an updated version of Android 5.1.1 for Google's Nexus 4, 5, 6, 7, 9, and 10 devices. And it only affected Android devices running versions 5.x to 5.1.1 (before build LMY48M), which represents around 20 percent of today's Android devices. That's a decently big number of Android users, but certainly not all of them.
The exploit, discovered by researchers at the University of Texas, has only been tested on Nexus devices, but it's thought that it would also work on other devices running Android version 5, Wired said. However, if you have not updated to the LMY48M build of Android 5.1.1, you can block the whole issue with a pretty simple solution: Don't use a password to authenticate your smartphone. Switch over to a PIN or a pattern for your lock screen, and you'll be fine.
Otherwise, you could be susceptible to the attack, which requires a person to have physical access to your phone (obviously). On the lock screen, an attacker just has to open Android's emergency call option and start typing in a bunch of characters—say, 10. Copy that, paste it, copy the now-doubled string of characters, paste that, copy the… you get the idea. If you do that around 10 or so times, you eventually won't be able to select the super-long string of characters.
From there, an attacker heads back to the device's lock screen, pulls up the phone's camera, swipes down from the top of the phone to reveal its notification drawer, then taps the settings icon. Doing so causes the phone to ask for a password.
"Long-tap in the password field and paste the characters into it. Continue to long-tap the cursor and paste the characters as many times as possible, until you notice the UI crash and the soft-buttons at the bottom of the screen disappear, expanding the camera to fullscreen," the university said in a blog post.
Once Android restores itself after the crash, an attacker should have access to the device's normal home screen. And, with it, full access to everything within Android that a normal, authenticated user could access.