Simple Android lock screen bypass bug earned researcher $70,000 • TechCrunch

Simple Android lock screen bypass bug earned researcher $70,000 • TechCrunch

Google has paid a security researcher $70,000 for privately reporting an “accidental” security bug that allowed anyone to unlock Google Pixel phones without knowing their passcode.

The lock screen bypass bug, tracked as CVE-2022-20465is described as a local privilege escalation bug because it allows someone with the device in hand to access device data without having to enter the screen passcode lockdown.

Researcher based in Hungary David Schutz said the bug was remarkably easy to exploit but took Google about five months to fix.

Schütz discovered that anyone with physical access to a Google Pixel phone could swap out their own SIM card and enter their preset recovery code to bypass Android OS lock screen protections. In a blog post About the bug, posted now that the bug is fixed, Schütz described how he found the bug accidentally and reported it to Google’s Android team.

Android lock screens allow users to set a numeric password, passcode or pattern to protect their phone’s data, or nowadays a fingerprint or face print. Your phone’s SIM card may also have a separate PIN set to prevent a thief from ejecting and physically stealing your phone number. But SIM cards have an additional personal unlock code, or PUK, to reset the SIM card if the user enters the PIN code incorrectly more than three times. PUK codes are fairly easy for device owners to obtain, often printed on the SIM card packaging or directly from the mobile operator’s customer service department.

Schütz discovered that the bug meant that entering a SIM card’s PUK code was enough to trick his fully-patched Pixel 6 phone and old Pixel 5 into unlocking his phone and data, without ever visually displaying the lock screen. He warned that other Android devices could also be vulnerable.

Since a malicious actor could bring their own SIM card and corresponding PUK code, only physical access to the phone is required, he said. “The attacker could simply swap the SIM card in the victim’s device and run the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,” Schütz said.

Google may pay security researchers up to $100,000 to report bugs privately this could allow someone to bypass the lock screen, as a successful exploit would allow access to a device’s data. Bug bounties are high in part to compete with the efforts of companies such as Cellebrite and Gray offset, which rely on software exploits to create and sell phone-hacking technology to law enforcement. In this case, Google paid Schütz a lower bug bounty of $70,000 because while his bug was marked as a duplicate, Google was unable to reproduce – or fix – the bug reported before him.

Google fixed the Android bug in a security update released on November 5, 2022 for devices running Android 10 through Android 13. You can see Schütz exploiting the bug in his video below.

Leave a Comment

Your email address will not be published.