Android (by chance) discovered a simple way to bypass the lock screen

A security researcher almost accidentally discovered a A way to bypass the lock screen on some Google Pixel series smartphones Working until last week. This method allowed anyone with physical access to a smartphone to unlock it with a simple five-step process that takes no more than a few minutes. The vulnerability has been fixed with the latest patches released last week, but it has been available for at least six months.

The vulnerability was revealed last week by David Shetzwhich in his Articles He wrote that he discovered the problem by chance after the Pixel 6 phone ran out of battery. Then the researcher entered an incorrect PIN code three times, and recovered the blocked SIM using the PUK (Personal Unlocking Key) code. After unlocking the SIM card and choosing a new PIN, the device did not ask for the password on the lock screen, just scan the fingerprint.

Google Pixel flaw allowed home access without authentication

The standard, for Android devices, is that when rebooting, unlocking through a password or security sequence is required, while fingerprint unlocking is only used to access the device’s data when it’s already on. Schtz tried his device, and in an effort to reproduce the flaw without restarting, he found that It was also possible to bypass the fingerprint scanning requestensuring access to the home page of the device without the need for authentication

According to the researcher The flaw affects all Android devices 10, 11, 12 and 13 which has not been updated with the patches released in November 2022. Access to the device is obviously an important prerequisite, but such a bug has serious implications in certain circumstances (citizens under investigation, abusive spouses, device theft): You just have to get on a device and use any SIM card and perform the procedure to access all the data in it.

The problem is caused by incorrect locking of the keyguard after the SIM card is unlocked via PUK. In the test, when the researcher enters the correct PUK function “to reject” It was called twice, once by the backend component that monitors the status of the SIM card, and the other by a PUK related component. This includes not only closing the PUK related security screen, but also closing the next security screen, the Key Guard.

If there is no additional security screen, the operating system gives access to the main screen and all data on the smartphone. The error was reported in June 2022 and Google immediately recognized it as CVE-2022-20465. The solution expects a new parameter necessary to close the security screens as well as a “deny” command, so that the problem does not compromise the integrity of the devices. This discovery won a Schtz prize of $70,000, as users were able to protect themselves by installing patches released in November 2022, where available.

480 GB SATA SSD to me
less than 40? Today yes, come Amazon! Revive old computers, add gigabytes of high-speed to your desktop, in short, Occasion
Not to be missed

Phil Schwartz

"Food expert. Unapologetic bacon maven. Beer enthusiast. Pop cultureaholic. General travel scholar. Total internet buff."

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button