This month, Google developers fixed a serious issue that could bypass the lock screen on Pixel smartphones and could be lead to use of other people’s devices.
The independent researcher who discovered this bug received a reward of $70,000, and now, after the release of the patch, he spoke about the vulnerability in a similar way.Let me remind you that we also wrote that Google Pixel bug prevented users from calling 911, and also that A bug in the Google Search app disturbed users from making and receiving calls.
The problem received the identifier CVE-2022-20465 and was found back in June 2022 by security specialist David Schütz. In his blog, the specialist says that the bug allowed an attacker with physical access to the device to bypass the lock screen protection (fingerprint, PIN, and so on) and gain full access to the user’s device.
Schutz writes that he found the problem by accident when he returned home after a trip with a practically discharged Pixel 6 in his hands. Since the smartphone was dead in the middle of the correspondence, the researcher hurried to connect it to the charger. When the device turned on again, it asked for a PIN code, but Schutz forgot it and entered it incorrectly three times, after which Pixel naturally demanded a PUK code. After finding the original packaging of the SIM card and the PUK code, Schütz finally regained access to the smartphone, but noticed that something strange had happened – the protection on the lock screen was not working.
As it turned out after a long series of experiments, the root of the problem was that the lock screen protection completely failed when performing a certain sequence of actions:
- enter the wrong fingerprint three times to disable biometric authentication on a locked device;
- hot-swap a SIM card by replacing it with a card controlled by an intruder with a preconfigured PIN code;
- enter an incorrect PIN code three times, blocking the SIM card;
- the device will prompt you to enter a Personal Unlocking Key (PUK), that is, a unique 8-digit number for unlocking SIM cards;
- set a new PIN code for a SIM card controlled by an intruder;
- The device will unlock automatically.
In fact, this meant that in order to unlock someone else’s device, the attacker only needed to bring their own SIM card with a PIN code, as well as know the PUK code for it. Schütz demonstrated the PoC of such an attack on video.
An analysis of the commits made by Google developers to fix the bug shows that the vulnerability was related to an “incorrect system state” that resulted from a misinterpretation of the SIM card replacement event, which led to a complete disabling of protection.
By the way, specialized media also reported that a 0-day vulnerability in Android threatens smartphones Pixel, Samsung, Huawei and Xiaomi.