Cybersecurity researcher David Schütz accidentally found a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it.
Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that wouldn't take more than a few minutes.
Google has fixed the security issue on the latest Android update released last week, but it has remained available for exploitation for at least six months.
Accidental finding
Schütz says he discovered the flaw by accident after his Pixel 6 ran out of battery, entered his PIN wrong three times, and recovered the locked SIM card using the PUK (Personal Unblocking Key) code.
To his surprise, after unlocking the SIM and selecting a new PIN, the device didn't ask for the lock screen password but only requested a fingerprint scan.
Android devices always request a lock screen password or pattern upon reboot for security reasons, so going straight to fingerprint unlock wasn't normal.
The researcher continued experimenting, and when he tried reproducing the flaw without rebooting the device, he figured it was possible to go straight to the home screen (bypass fingerprint too), as long as the device had been unlocked by the owner at least once since reboot.
The impact of this security vulnerability is quite broad, affecting all devices running Android versions 10, 11, 12, and 13 that haven't updated to November 2022 patch level.
Physical access to a device is a strong prerequisite. However, the flaw still carries severe implications for people with abusive spouses, those under law enforcement investigations, owners of stolen devices, etc.
The attacker can simply use their own SIM card on the target device, enter the wrong PIN three times, provide the PUK number, and access the victim's device without restrictions.
Google's patching
The issue is caused by the keyguard being wrongfully dismissed after a SIM PUK unlock due to a conflict in the dismiss calls impacting the stack of security screens that run under the dialog.
When Schütz entered the correct PUK number, a “dismiss” function was called twice, once by a background component that monitors the SIM state, and once by the PUK component.
This caused not only the PUK security screen to be dismissed but also the next security screen in the stack, which is the keyguard, followed by whatever screen was next queued in the stack.
If there's no other security screen, the user would directly access the home screen.
Schütz reported the flaw to Google in June 2022, and although the tech giant acknowledged the reception and assigned a CVE ID of CVE-2022-20465, they didn’t release a fix until November 7, 2022.
Google’s solution is to include a new parameter for the security method used in every “dismiss” call so that the calls dismiss specific types of security screens and not just the next one in the stack.
In the end, although Schütz's report was a duplicate, Google made an exception and awarded the researcher $70,000 for his finding.
Users of Android 10, 11, 12, and 13 can patch this flaw by applying the November 7, 2022, security update.
11/14/22 - Post updated for better clarity on the flaw exploitation procedure
Comments
smminco - 1 year ago
So, you're telling me all you have to do to bypass a newly powered on phone is the SIMs PUK and the owners fingerprint?
I don't see how that makes things any easier.
dzonatanas - 1 year ago
You probably have read just first part of the article, because i had same first thought after reading first half. Later in article author adds more details, that fingerprint can be bypassed too, so you only need to insert your own sim.
ThemePro - 1 year ago
Sounds like an excellent exploit designed by Google to assist law enforcement.
0x5053 - 1 year ago
I would greatly appreciate more accurate titles. Using "android user accidentally" is a but misleading when that "user" is actually a seasoned security researcher (even if they did discover it accidentally).
Jrj760 - 1 year ago
"Physical access to a device is a strong prerequisite. However, the flaw still carries severe implications for people with abusive spouses, those under law enforcement investigations, owners of stolen devices, etc.
The attacker can simply use their own SIM card on the target device, enter the wrong PIN three times, provide the PUK number, and access the victim's device without restrictions."
Do we need to tell the author or?.. all that's needed is a disclaimer lmao.