SECURITY FLAW! Google Voice Actions usable on lock screen!

My lock screen is not intended (in my case) for security. I look at it as a way to prevent pocket dialing and accidental screen presses.

But that's just me... I can see how some would find this annoying....
 
Last edited:
Martin030908 said:
My lock screen is not intended (in my case) for security. I look at it as a way to prevent pocket dialing and accidental screen presses.

But that's just me... I can see how some would find this annoying.... but as stated, uninstall the Google Voice Search app.
Click to expand...

To clarify, this does not only affect the lock screen, but the PIN/pattern lock screen as well. I didn't see anywhere that it was confirmed uninstalling it fixes the issue? I just tried and the issue remains.
 
barakaspeed said:
Martin030908 said:
My lock screen is not intended (in my case) for security. I look at it as a way to prevent pocket dialing and accidental screen presses.

But that's just me... I can see how some would find this annoying.... but as stated, uninstall the Google Voice Search app.
Click to expand...

To clarify, this does not only affect the lock screen, but the PIN/pattern lock screen as well. I didn't see anywhere that it was confirmed uninstalling it fixes the issue? I just tried and the issue remains.
Click to expand...


Thanks for posting. I will edit my previous post but leave this one for the record :)
 
I'm having a little issue here. I can't seem to make this error happen. The only way voice search comes up on my Droid 2 is to swipe the arrows, I don't use a lock pattern.

Now it seems to me that what you guys are saying is if you just long press on the search button that the search feature is popping up. If that's what your saying, it's not working for me and I do have the latest search functions installed.
 
hookbill said:
I'm having a little issue here. I can't seem to make this error happen. The only way voice search comes up on my Droid 2 is to swipe the arrows, I don't use a lock pattern.

Now it seems to me that what you guys are saying is if you just long press on the search button that the search feature is popping up. If that's what your saying, it's not working for me and I do have the latest search functions installed.
Click to expand...

Here's the instructions from my 1st post:
Steps to reproduce:

1. Lock your screen
2. Press and hold the search button "magnifying glass"
3. Speak any voice action and the phone will respond. Note: you will not get any visual or audible cues that it is working, but it is!


You see, while the screen is locked, you press the magnifying glass (you don't get any popups or audio cues) but it is working behind the scenes.

The best way to demonstrate this is by saying "Dial XXX-XXXX". Obviously filling in a number of your own. If Google Search (Voice Actions) doesn't have trouble interpreting you, it will automatically start dialing the number and you can take the call.

Edit: If I can some free time from the kids :) I'll try to upload a video to youtube demostrating this.
 
Last edited:
Ok you're right. However, is that all that can be done? I mean, for example if I lose my phone, and I have a pattern lock screen set up, the other person uses the magnifying glass. Is the worst thing they can do is make a call by saying dial xxx etc?

If so, it's not really a big deal imo. If this allows them to actually unlock my phone however then I'd be concerned.
 
Dark Lazer said:
Ok you're right. However, is that all that can be done? I mean, for example if I lose my phone, and I have a pattern lock screen set up, the other person uses the magnifying glass. Is the worst thing they can do is make a call by saying dial xxx etc?

If so, it's not really a big deal imo. If this allows them to actually unlock my phone however then I'd be concerned.
Click to expand...

Granted, it's not even close to the flaw in the original D1 when that first came out. Nevertheless, from a security viewpoint, the phone shouldn't allow unauthorized phone calls from the lock/PIN/Pattern screen. In the rarest of occasions, someone could potentially make fraudulent and potentially expensive phone calls from your phone.

I push for a fix simply because I believe in the Android platform. Manufacturers are trying to bring Android into the enterprise market and with flaws as little as this, Android won't be accepted.
 
Last edited:
barakaspeed said:
Here's the instructions from my 1st post:
Steps to reproduce:

1. Lock your screen
2. Press and hold the search button "magnifying glass"
3. Speak any voice action and the phone will respond. Note: you will not get any visual or audible cues that it is working, but it is!


You see, while the screen is locked, you press the magnifying glass (you don't get any popups or audio cues) but it is working behind the scenes.

The best way to demonstrate this is by saying "Dial XXX-XXXX". Obviously filling in a number of your own. If Google Search (Voice Actions) doesn't have trouble interpreting you, it will automatically start dialing the number and you can take the call.

Edit: If I can some free time from the kids :) I'll try to upload a video to youtube demostrating this.
Click to expand...

OK, with my screen dark I tried pressing the search button: Call wife. Nothing. So then I pressed the button to get the opening screen by swiping the arrows. I pressed search button: Call Wife. Nothing happened.

I'm not saying of course that I don't believe you, I can't reproduce this issue. It may not be that everyone has this problem.
 
I really hope the OP isn't successful with his little "campaign". Call home while the phone is locked is an important FEATURE for me when I drive and is probably what was intended. The only thing he did was open up yet ANOTHER iPhone/BB/Android flame war. Good going.

If anything, I would hope that they make certain actions selectable as valid while the lock screen is on.
 
atlharry said:
I really hope the OP isn't successful with his little "campaign". Call home while the phone is locked is an important FEATURE for me when I drive and is probably what was intended. The only thing he did was open up yet ANOTHER iPhone/BB/Android flame war. Good going.

If anything, I would hope that they make certain actions selectable as valid while the lock screen is on.
Click to expand...

I can't listen to that video, but was able to watch it. It doesn't look like you can actually do anything, so I kinda get atlharry's point here. (correct me if I'm wrong) The iPhone will allow you to use voice commands (call people, play music) while in a locked state, and it's a pretty nice feature, both from a convenience and safety standpoint.
 
atlharry said:
I really hope the OP isn't successful with his little "campaign". Call home while the phone is locked is an important FEATURE for me when I drive and is probably what was intended. The only thing he did was open up yet ANOTHER iPhone/BB/Android flame war. Good going.

If anything, I would hope that they make certain actions selectable as valid while the lock screen is on.
Click to expand...

I hope I haven't personally offended you. I'm a fan of Droid, Android etc. All I want it to see this fixed or have it be an option to turn it on or off, as in your case.
 
Last edited:
Old issue I know, but I registered just to point this out: the press on this issue as a major security vulnerability was a little bit off-target. This discussion has existed for as long as here have been voice dialers and phone locking. A voice recognition application that doesn't allow you to use it while the screen is locked is unusable to many people.

I agree that an ideal Voice Actions app is one that allows you to specify what commands, if any, can be issued during a screen lock. But even on the old Windows Mobile Voice Commander, which had this as an option, disabled by default, people still raised an uproar about the "security flaw."

People using their phones with ActiveSync for business often have auto-password-locking screens set as a requirement, checked every time before email is synced. These people are often forced to choose between their work, and the safety (and legality) of being able to dial hands-free via bluetooth while driving. A voice action software that doesn't allow the user to enable at least some basic functionality even during a screen lock is equally, if not more so, a risk to the user.

Again, the best route is the option to choose, but failing that, I see enabled vs. disabled as a matter of opinion, and risky in either case, but not as the "major security bug" that this was reported as. I for one am 1) an experienced security professional and expert, and 2) one who would gladly take a fully enabled voice action phone during screen lock (and accept that risk), rather than a fully disabled one, or none at all. Heck, there are even mitigating controls. You can disable many billable calls with the carrier and you can remotely wipe the phone if stolen.
 
You must log in or register to reply here.

Similar threads

C
Security flaw
Replies
1
Views
1K
iPirate
I
R
Droid security flaw makes lock screen a mere inconvenience for evil-doers
Replies
1
Views
4K
Jeremy556
J
danDroid
Motorola Droid 2 Voice Command Bug Discovered
Replies
9
Views
4K
droidman101
D
R
screen lock confusion
Replies
3
Views
1K
rollingrock
R
M
Bluetooth in lock screen pull down menu
Replies
3
Views
2K
cr6
C
Back
Top