updated 06:05 pm EST, Mon March 4, 2013
Flaw allows for limited app access, direct dial execution
A flaw in Samsung's equivalent to Siri, S-Voice, allows for a very limited workaround of most of Samsung's Android 4.1.1 and 4.1.2 device security. Enthusiast Terence Eden discovered that given a very specific set of circumstances, the devices will allow an unauthorized user or thief to run apps and dial numbers, even when the device is locked. Five days after insuring that the Samsung security team was aware of the issue, Eden reports that he has not heard back from the Korean manufacturer about the flaw.
The procedure relies on nimble fingers to implement properly. Following a press of the "emergency call" button, if the user depresses the "ICE" button and holds down the physical home key for a few seconds, then the phone's home screen will be briefly displayed, allowing for a user to click an app or widget and allow it to execute. If the widget is a "direct dial," then the phone will dial the number, and start ringing.
The discoverer does admit the attack as it stands is of "limited value." Other than non-standard revisions of the OS being installed by the user, there is no protection against the procedure. Eden mentioned in his blog post that he "spoke to several external security people, and Samsung relationship managers within the industry, who have raised the issue directly with Samsung." He also claims Samsung has a "really poor record on Android security" and has yet to hear back from the security response team.
Superficially, the bug is similar to one found in Apple's iOS 6.1. The Apple bug requires a much more complex sequence to initiate, but allows greater access.