CVE-2020-10849

Vulnerability

An issue exists in the Gatekeeper trustlet on Samsung mobile devices with Exynos7885, Exynos8895, and Exynos9810 chipsets running Android O(8.x), P(9.0), and Q(10.0). The trustlet does not enforce rate limiting or lockout mechanisms, allowing an unlimited number of password attempts. This vulnerability is identified by Samsung ID SVE-2019-14575 and was disclosed in January 2020 [1].

Exploitation

An attacker with physical access to the device can repeatedly attempt screen lock passwords without triggering any lockout or delay. No authentication or special privileges are required beyond physical possession. The attacker can systematically brute-force the password until the correct one is found.

Impact

Successful exploitation reveals the screen lock password, granting the attacker full access to the device and all user data. The attacker gains the same privileges as the legitimate user, leading to complete compromise of confidentiality and integrity.

Mitigation

Samsung released a security update in January 2020 as part of its monthly maintenance release. Users should apply the latest firmware update via Samsung's security update process. No workaround is available; updating to the patched version is the only mitigation [1].