HP Elite x3 security bug?!

[gvp 1995]

I bought x3 after using 1520 for several years. After I realized there is no glance screen feature, I started to look for alternatives. Quickly discovered HP Display Tools. By setting it to "Screen Timeout Options = never" you achieve kind of similar result.

But when I tapped the phone in the morning to exit this screen, I realized the phone was never locked! I got right to my stuff without any authentication. Needless to say it is a potential security whole.

Or am I missing something?!

 

[invisik]

I don't believe so. That program is mainly for when the phone is docked at your desk. I would continue to lock your phone normally.

-m

 

[gvp 1995]

Well, I don't use the phone with the dock. But you can reproduce this bug/feature yourself if you own x3. Just start HP Display Tools and 10 hours later you will access your phone with no password needed. It is easy to come up with many scenarios how this could be bad. Here is one. Say I am traveling in a train in another country and use this feature to check the time during night. Then I forget my phone. Anyone who finds it has access to all my data. The fact of the matter is HP Display Tools makes your phone unlocked for any prolonged amount of time. No other app on Window phone does it.

 

[PerfectReign]

This is probably the most annoying thing about the X3.

While my sons have a configurable glance-like feature on their Galaxy devices, and my beautiful young bride has Glance on her low end Lumia 640, the otherwise fantastic Elite X3 has only display tools, which is of marginal use.

Sent from mTalk

 

[invisik]

Well, I don't use the phone with the dock. But you can reproduce this bug/feature yourself if you own x3. Just start HP Display Tools and 10 hours later you will access your phone with no password needed. It is easy to come up with many scenarios how this could be bad. Here is one. Say I am traveling in a train in another country and use this feature to check the time during night. Then I forget my phone. Anyone who finds it has access to all my data. The fact of the matter is HP Display Tools makes your phone unlocked for any prolonged amount of time. No other app on Window phone does it.

Right.... don't use it if you're not at your desk. (eg, not what it's designed for)......

-m

This is probably the most annoying thing about the X3.

While my sons have a configurable glance-like feature on their Galaxy devices, and my beautiful young bride has Glance on her low end Lumia 640, the otherwise fantastic Elite X3 has only display tools, which is of marginal use.

Sent from mTalk

Agreed, I REALLY miss Glance.

-m

 

[Krystianpants]

Does the hp display tools mess with the lock screen password required timer in lock screen/sign in settings? It could be changing that to never.

Glance is likely going to come in the form of some other name. I think it was a Nokia feature that was sold off to HMD. MS just needs to make their own version of it. And they are working on one from patents I have seen. It will allow you to make notes on it with a pen like the note 7 did.

 

[gvp 1995]

Does the hp display tools mess with the lock screen password required timer in lock screen/sign in settings? It could be changing that to never.

Glance is likely going to come in the form of some other name. I think it was a Nokia feature that was sold off to HMD. MS just needs to make their own version of it. And they are working on one from patents I have seen. It will allow you to make notes on it with a pen like the note 7 did.

This is what I was thinking at first. But if you set it to any other value (like 3 hours for instance) it does the same. It is certainly a bug, but I suspect it will not be easy to fix. I will still use it as I need at least some replacement for Glance (like check time in the night just by glancing at the screen). Let us hope they will come up with something...

 

[grob9642]

Interesting find. Thanks for posting it. I am contemplating getting this piece and haven't seen this info anywhere else.

 

[Kogling]

By setting it to "Screen Timeout Options = never" you achieve kind of similar result.

Display tools is just an app like anything else and by setting "screen timeout" to never, you're saying "keep this application active indefinitely". It's supposed to be used along side continuum to reduce battery drain

The feature is actually there to be an extra level of security by locking the phone within continuum, to the degree /amount you want.

edit: for clarity I actually just wrote continuum always stays on which isn't true - i've used continuum mostly to play movies on mine which I why I get non existent timeouts.

You have basically said you do not want this safety feature and turned it off. That option has a padlock icon indicating it's pretty much there to lock your phone...

This is what I was thinking at first. But if you set it to any other value (like 3 hours for instance) it does the same.

It works and will lock your phone after the designed time. Just tested with 5 minutes undocked /no continuum.

Does the hp display tools mess with the lock screen password required timer in lock screen/sign in settings? It could be changing that to never.

Not sure about "mess" as applications are allowed to prevent screen timeouts i.e. video players, otherwise that 3 hour movie on a 10 second lock screen would be extremely annoying.

It would, however, upon request most definitely set it to never.

Importantly, it's not related to the system (global) timeout settings as running HP display tools then loading another application results in normal timeout settings.

It is on an application basis, in this case, HP display tool is allowed to stay active indefinitely just like a video player while in focus.

and the fact of the matter, setting an app to stay always on should result in this. Just because the screen is all black and act like glance doesn't mean its an internal system extension to the lockscreen

 

[gvp 1995]

Kogling, you are probably correct in all your statements. But the fact of the matter is that I do use this feature without the dock just to simulate Glance screen - to have at least clock during the night. And whatever the rational is (not use it without the dock, don't set timeout to 'Never', etc.), as soon as I press the icon "HP Display Tools" the phone stays unlocked. As I said, I am still going to use it in the absence of Glance.

The analogy with the video player is a good one, but it is a bit different. When you start playing a movie the assumption is that you are in control and do watch it. When I start this simulated glance screen, next time I look at it maybe 8 hours later. In which time the phone can be stolen or something.

 

[Kogling]

But the fact of the matter is that I do use this feature without the dock just to simulate Glance screen

That's fine, but the app (and the other variants) were not made for that purpose in mind.

A potential improvement /area to cover in the case of targeting a user-space "glance" application, but by no means a security bug for a continuum battery saver - no more a security issue than playing a video and leaving your phone on the desk for anyone to grab.

The analogy with the video player is a good one, but it is a bit different. When you start playing a movie the assumption is that you are in control and do watch it.

The assumption with display tools is that you're actively on continuum /docked and set the timeout to match your needs, otherwise you undock it and take it with you, or lock it manually

If you're on a train, fall asleep watching a movie and your friend decides they want to browse your photos after pausing the video you were both watching? A valid scenario isn't hard to materialize.

Im not saying it's not possible to make it lock as you are requesting, but the way of stating its a security bug is kinda meh. It's like me making a 24h hour video in black with the time in white and synchronising the play position to the current time and then telling microsoft there's a security bug with their video player..

Make a request for a feature by all means.

 

[gvp 1995]

It is hard for me to argue as I have no clue what was the purpose in mind when creating this app. My story is very simple. I discovered there is no Glance on Elite x3. I googled it and found this solution on YouTube. Neither I know what HP had in mind nor do I care. I found my solution but realized it is not 100 % secure. To call it a security bug? Maybe you are right and it is far fetched. The chances are low. Would it be better if in the morning I find it locked? You betcha. Request for a feature? I am not that sophisticated. If someone from HP or MS is monitoring this, maybe they will keep in mind people use 'HP Display Tools' as a replacement for 'Glance Screen' and come up with something.

And btw, in my view it would not be bad if after a few hours of playing a movie the phone is locked and to come back one would need to use PIN or biometrics. After all when playing music my phone gets locked after one minute.

 

[Kogling]

And btw, in my view it would not be bad if after a few hours of playing a movie the phone is locked and to come back one would need to use PIN or biometrics. After all when playing music my phone gets locked after one minute.

Audio plays as a background process and the system provides audio-related navigation from a locked phone. That's a system level feature like glance was in Lumia, to do it purely in a user-level application would require similar functionality as HP display tools i.e. prolonging timeouts, a permanently active foreground applications and blacking the screen to reduce battery drain on oled screens,

An application could still render a frame for a glance screen as a background process and stream it to an external display over the internet, but the phone's screen and the state of being locked is tightly coupled with the screen being cycled on/off as far as I'm aware. There's nothing stopping an application from locking the phone I believe, as they will most certainly get an event for application closure or being minimised that they can signal a lock under (probably not if it crashes to start screen though).

Though I'm not sure if there is a force-lock API or passive way to enable it - it would be cycling the screen timeout to get the lock functionality which would probably be annoying as you''ll press the window key, the screen would turn off and you'd have to cycle it back on...

 

[nate0]

Anyone submit this to HP to see and did you get any reply or feedback?

Sent from mTalk