Google Pixel lock screen hack earns researcher $70,000

Android security pwned by PUK reset trick

A security researcher received a $70,000 bug bounty after it was discovered by mistake Google Pixel Lock screen bypass hack.

The vulnerability, discovered by David Schütz, means an attacker can unlock any Google Pixel phone without knowing the passcode. Google fixed the issue (tracking at CVE-2022-20465) with the November update, allowing Schütz to announce his findings.

The vulnerability created a way for a potential hacker to bypass lock screen protection such as a fingerprint or PIN authentication and gain physical access to a target device. The hack can be performed with minimal technical skill against a range of portable devices Android, by following a series of steps.

Fortunately, exploitation is not something that would give way to remote exploitation.

chance hits

As shown in a Blog postSchutz ran into the problem by chance when he forgot his Pixel phone’s PIN code and had to use the PUK code to regain access. After completing the process successfully, he noticed an anomaly in the lock screen that he encountered.

“It was a new shoe, and instead of the usual lock icon, a fingerprint icon appeared,” Schutz recalls. “I kissed my finger, and this should not happen, because after rebooting, you must enter your lock screen PIN or password at least once to decrypt the device.”

After accepting his finger, the device crashed with a strange message “Pixel is started…”, which Schutz directed with a forced restart.

recommended GhostTouch: Hackers can access your phone’s touch screen without touching it

Schutz decided to investigate the case over the following days. One time he forgot to restart the phone, just started from the normal unlock state, shut down the device, swapped the SIM tray, before performing a SIM PIN reset.

After following this sequence before entering the PUK code and choosing a new PIN, Schutz was presented with his unlocked home screen.

The researcher realized that he had achieved a complete bypass of the lock screen on the fully patched Pixel 6. The same trick worked on the Pixel 5.

ease of exploitation

Schutz realized that the hack would be easily exploited by anyone, from spies to fraudsters and jealous husbands.

“Since the attacker could only bring his/her PIN-locked SIM card, only physical access to the exploit was required. The attacker can only swap the SIM card in the victim’s device, and perform the exploit using the SIM that has a PIN lock which the attacker knows The correct PUK code for it is “.

bewilderment area

Schutz reported this matter to The Google The tech giant immediately addressed and filed the error, but treatment took longer.

After telling Schutz that the problem is a duplicate, and thus does not normally qualify for a bug bounty, Google failed to act for a few weeks, before Schutz’s repeated hunt and an exploit review for Google employees at a Google-run bug hunter event called ESCAL8 Push in September to take action.

Shortly thereafter, Google said that although Schütz’s report was a duplicate, he had only begun work on a fix due to his filing, so the company decided to pay him a $70,000 bounty for bypassing the screen lock.

The flaw was fixed on November 5, allowing Schutz to reveal his findings and a video showing the flaw.

Stay up-to-date with the latest hardware security news and analysis

The researcher concluded from the code changes that Android security screens can be stacked “on top” of each other.

“When the SIM PUK has been successfully reset, a.to reject() The function was called by the PUK reset component on the “security screen stack”, causing the device to cancel the current item and show the security screen that was “under it” in the stack,” he explained.

“Ago .to reject() The function simply rejected the current security screen, it was vulnerable to race conditions” which means the PUK reset component can dismiss an irrelevant safety screen, changed by a background process.

Google has changed the code, so it explicitly calls the type of security screen to be rejected.

Daily Swig He invited Google for comment, and asked Schütz follow-up questions about his experience researching bug bounties and mobile security. No word yet, but we’ll update this story when more information comes in handy.

You may also like Boffins revives the concept of a one-time program coding