PIN-locked SIM card? No problem. It's easy for an attacker to bypass the Google Pixel lock screen on unpatched devices.
November 10, 2022
The November 2022 Android update includes a remediation for a bug that could allow an attacker to bypass the Google Pixel lock screen.
The researcher behind the discovery, David Schütz, reported the Google Pixel security flaw back in June after a series of errors led him to finding the vulnerability. He had forgotten his PIN after his device ran out of battery and died. After reboot, Schütz entered an incorrect PIN number three times, triggering the SIM card to lock itself.
Luckily, he explained in a blog post this week, he had the original SIM packaging with the factory personal unlocking key (PUK) code to open the SIM card. From there he was able to gain access to the device without ever entering the correct PIN.
"After I calmed down a little bit, I realized that indeed, this is a got d*mn full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too," he wrote.
The Google Pixel lock screen bypass vulnerability is tracked under CVE-2022-20465. Here are the bypass steps, according to Schütz:
Enter the wrong PIN three times.
Hot-swap the device SIM for an attacker-controlled SIM with known PIN code.
Enter the new SIM's eight-digit PUK code.
Enter the new device PIN.
Presto! The device unlocks.
For his efforts, Schütz said he was awarded a $70,000 bug bounty, along with bragging rights.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024