David Schütz, a security researcher, has identified a critical bug in the Google Pixel phones that allow hackers to bypass the passcode and pattern lock with the consent of having physical access to the vulnerable device.
A critical Lock screen bypass bug allows anyone to bypass all formats of lock screen protections including fingerprint, pattern, and PIN, by swapping the new SIM with the help of a PUK code.
A local privilege escalation bug resides in the Google Pixel Phone model due to a logical error in the code that allows an attacker to exploit this bug without any additional execution privileges or user interaction.
The following Android Versions are vulnerable to this bug:-
The bug was fixed by Google and released a patch update in this November Android security updates and assigned to CVE-2022-20465 with the following explanation:
“In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lock screen bypass due to a logic error in the code.”
The researcher explained this bug with a simple SIM Swapping technique that required a new SIM with the PUK code that trigger the bug to bypass the screen and unlock the Pattern, passcode, and fingerprint.
PUK (Personal Unlocking Key) Code is used to unlock the SIM card PIN number when the user forgot and types the wrong PIN code consecutively 3 times. The PUK code can be found printed on the SIM card package.
The bug was trigged and exploited under the following steps that were performed by the researcher.
“I realized that indeed, this is a got damn full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too.” The researcher said in his public write-up.
“After PUK unlock, multiple calls to KeyguardSecurityContainerController#dismiss() were being called from the KeyguardSimPukViewController, which begins the transition to the next security screen, if any.”
At the same time, other parts of the system, also listening to SIM events, recognize the PUK unlock and call KeyguardSecurityContainer#showSecurityScreen, which updates which security method comes next.
After boot, this should be one of PIN, Password, or Pattern, assuming they have a security method.
If one of the first dismiss() calls comes AFTER the security method changes, this is incorrectly recognized by the code as a successful PIN/pattern/password unlock. said in the Android Bug report.
Google has acknowledged the bug after multiple reporting attempts by the researcher and rewarded $70k, once the Android security team was able to reproduce the bug. The same bug was reported earlier this year at that time they weren’t able to reproduce the same bug.
“The same issue was submitted to our program earlier this year, but we were not able to reproduce the vulnerability. When you submitted your report, we were able to identify and reproduce the issue and began developing a fix.” Google said during the bug report communication.
“We typically do not reward duplicate reports; however, because your report resulted in us taking action to fix this issue, we are happy to reward you the full amount of $70,000 USD for this LockScreen Bypass exploit!”
Azure Active Directory Security – Download Free E-Book
We're currently living in an age where digital threats loom large. Among these, ransomware has…
Attackers are exploiting the recently discovered critical security vulnerability tracked as (CVE-2023-46604) affecting Apache ActiveMQ…
Media reports highlight the sale of LLMs like WormGPT and FraudGPT on underground forums. Fears…
An open-source security scanner, developed by Git Hub user Adam Swanda, was released to explore…
One of Slovenia's major power providers, HSE, has recently fallen victim to a significant cyberattack.…
In the labyrinthine landscape of cyber threats, the Trend Micro Managed XDR team has uncovered…