Researcher received a $70k award for a Google Pixel lock screen bypass

Google fixed a high-severity security bug affecting all Pixel smartphones that can allow attackers to unlock the devices.

Google has addressed a high-severity security bug, tracked as CVE-2022-20465, affecting all Pixel smartphones that could be exploited to unlock the devices.

The Google Pixel Lock Screen Bypass was reported by security researcher David Schütz that was awarded $70,000 for this flaw.

“The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device. The vulnerability is tracked as CVE-2022-20465 and it might affect other Android vendors as well.” reads the post published by Schütz, “You can find my patch advisory and the raw bug report I have sent to Google at feed.bugs.xdavidhu.me.”

The expert discovered how to unlock a Pixel phone using a PIN-locked SIM card and knowing its PUK code.

He reported the vulnerability in June 2022 and Google fixed it the release of Android update for November 2022.

Schütz noticed a strange behavior of his mobile divide during a journey and started looking at it again the next day. After rebooting the phone, putting in the incorrect PIN 3 times, entering the PUK, and choosing a new PIN, he noticed that the device went to the “Pixel is starting…” state.

He made further tests and discovered that is possible to bypass lock screen protections with the following sequence of actions:

• Supply the wrong fingerprint three times on the locked device, this causes to disable biometric authentication.
• Hot swap the SIM tray using an attacker-controlled SIM and reset the PIN.
• Enter the incorrect SIM PIN three times, causing the lock of the SIM card.
• In order to unlock the device, it is requested to enter the SIM’s Personal Unlocking Key (PUK) code.
• Enter a new PIN code for the attacker-controlled SIM
• The devices unlocks.

Below is a video PoC of the unlock process:

“Since the attacker could just bring his/her own PIN-locked SIM card, nothing other than physical access was required for exploitation.” Schütz explained. “The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.”

The expert analyzed source code commits that address the flaw since Android is open source. He discovered that the fix has a huge impact on the overall source code, he noticed that many files have been changed.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Android)

[adrotate banner=”5″]

[adrotate banner=”13″]