[Update: Mystery solved] Security Flaw in the Amazon Prime Exclusive Moto G5 Plus Allows for Easily Bypassing the Lock Screen
The Amazon Prime Exclusive smartphone program has been met with mixed views. On one hand, being able to get a smartphone for less than retail price can be incredibly beneficial especially if it’s a smartphone you’ve had your eye on but was priced too high for you. Some have been happy to accept the lock screen ads that allow the device to be more affordable. However, it looks like the lock screen of this Prime Exclusive Moto G5 Plus may not be as secure as one would think. A user on Twitter recently found a flaw that allows them to bypass the lock screen security in a rather simple manner.
The idea behind the Amazon Prime Exclusive smartphone program makes a lot of sense. This is especially true these days when entire websites are funded entirely on revenue that has been generated by ads. The software being executed in our smartphones can be highly susceptible to attack and this is especially true when some code has been injected into the lock screen so that it can display advertisements to the user. This security flaw was recently discovered by @jaraszski but the process to replicate it is very specific.
Hey @amazon @MotorolaUS. I found a security flaw in my Amazon motot g5. Hit fingerprint sensor (it says fingerprint not recognized), then press power button, then click view ad on the lockscreen. This gives you 100% access to the phone. pic.twitter.com/eqLWLn34pD
— Jaraszski Colliefox (@jaraszski) January 22, 2018
Originally the idea was that all you had to do was touch the fingerprint sensor of an Amazon Prime Exclusive Moto G5 Plus with a finger that wasn’t registered with the device. The video uploaded to Twitter shows that you can press the power button right after you’re told the device doesn’t recognize the fingerprint. This gives you an ad on the lock screen which then allows you tap a button to view the ad. With that done, the video shows the person has gained 100% access to the device.
This was done with Moto Display on but it doesn’t seem as bad as it may seem. After Reddit user PartyDannyTanner did some digging, they were able to find out some additional details to this flaw. This security flaw can only be replicated if the device hasn’t been actually locked. By that we mean that if we wait long enough with the display turned off, then the phone goes into full secure mode and this method does not work. However, even when we dive into the settings of the Prime Exclusive Moto G5 Plus and set the option to tell the phone to lock immediately after you press the power button, it will still allow the phone to be unlocked just by swiping.
There seems to be a 30 second window after the display turns off that the device may seem locked, but actually isn’t. You’ll want to look at the icon on the bottom of the lock screen where it designates to use a fingerprint. This is where you’ll see a sign when it is actually locked behind fingerprint/pin. So while this security flaw doesn’t seem to be as bad as many people originally thought it was, it’s still something that should be looked at. Especially when there’s a setting that specifically says the phone is instantly locked when you press the power button.