CVE-2016-0813 in Android
Summary
by MITRE
packages/SystemUI/src/com/android/systemui/recents/AlternateRecentsComponent.java in Setup Wizard in Android 5.1.x before 5.1.1 LMY49G and 6.x before 2016-02-01 does not properly check for device provisioning, which allows physically proximate attackers to bypass the Factory Reset Protection protection mechanism and delete data via unspecified vectors, aka internal bug 25476219.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/06/2022
This vulnerability exists in the Android Setup Wizard component specifically within the SystemUI package where the AlternateRecentsComponent.java file fails to properly validate device provisioning status. The flaw affects Android versions 5.1.x prior to 5.1.1 LMY49G and Android 6.0 versions before the 2016-02-01 security update. The vulnerability stems from insufficient authentication checks during the device setup process, creating a critical security gap that allows unauthorized physical access to bypass Factory Reset Protection mechanisms. This represents a significant weakness in Android's security architecture where the device's provisioning state is not adequately verified before granting access to sensitive system functions.
The technical implementation flaw occurs in the Setup Wizard's handling of device provisioning status checks, where the system fails to properly validate whether a device has completed the required setup process. Attackers with physical proximity to the device can exploit this by manipulating the system's provisioning state to gain access to the device's data deletion functions. This vulnerability operates at the system-level interface where the device's security policies are enforced, making it particularly dangerous as it allows bypassing fundamental security protections. The unspecified vectors suggest multiple potential attack paths that could be exploited through various physical manipulation techniques.
The operational impact of this vulnerability is severe as it compromises the core Factory Reset Protection mechanism designed to prevent unauthorized data access on lost or stolen devices. An attacker with physical access can delete device data without proper authentication, effectively neutralizing the security protections that should prevent such actions. This vulnerability directly impacts user privacy and data security, potentially allowing attackers to completely wipe devices and access sensitive information. The risk is particularly elevated in environments where devices may be left unattended or where physical security controls are insufficient.
This vulnerability maps to CWE-284 Access Control Bypass and aligns with ATT&CK technique T1485 Data Destruction, as it enables unauthorized deletion of device data. The weakness represents a critical design flaw in Android's provisioning validation system where the security boundary is improperly enforced. Organizations should implement immediate mitigations including applying the latest security patches, enabling additional physical security measures, and monitoring for unauthorized device access attempts. The vulnerability demonstrates the importance of proper access control validation in mobile operating systems and highlights the need for comprehensive security testing of setup and provisioning workflows. Security professionals should also consider implementing device enrollment and management solutions to provide additional protection layers beyond the native Android security mechanisms.