Cybersecurity researcher accidentally found a way to bypass lock screen of android device.
Cybersecurity researcher David Schütz accidentally found a way to bypass the lock screen on his Google Pixel 6 that was running the latest security patch version. This is possible with anyone who has physical access to the device to unlock. The vulnerability can be exploited on Android phones to bypass the lock screen in five simple steps that wouldn’t take more than couple of minutes.
Security patch level ‘2022-11-01’ fixes 12 bugs that lead to escalation of privilege (EoP). Among the 12 high-severity bugs, CVE-2022-20465 is the noteworthy security vulnerability. This bug affects all Pixel smartphones, which can be exploited to bypass lock screen and gain access to the target’s device. David Schütz was credited for finding the security vulnerability and has been awarded $70,000 for the discovery.
It is to be noted that Google has already rolled out a security patch on the latest Android update. The lates update address over 40 vulnerabilities that includes multiple high-severity vulnerabilities with escalations of privileges. This problem, however, has remained available to exploit for the past six months.
Schütz explains how we discovered the vulnerability over an accident after his Google Pixel 6 ran out of battery. While attempting to unlock the phone, he entered the wrong PIN three times to unlock his SIM card and was forced to input the PUK (Personal Unblocking Key) code to recover his locked SIM card. He was surprised after unlocking the SIM and entering a new PIN that the device did not ask for the lock screen password to unlock the phone, but instead was requested a fingerprint scan.
When a phone turns on from a reboot, the phone will request to enter the PIN code set up by the user to decrypt the phone for security purpose. Only after decryption will the phone allow the user to unlock the phone through any of the verification method registered. To verify his discovery, the researcher continued experimenting by reproducing the flaw. He was able to exploit the flaw even further without rebooting the device by jumping past the lock screen and going straight to the home screen.
The impact of this vulnerability is broad across all devices running Android version 10,11,12 and 13 that hasn’t been updated to November 2022 patch level. An attacker can gain access to any of the mentioned device by simply using their SIM card on the target device, entering the wrong PIN three times, entering the PUK number and then access the victim’s device without any restriction. It is to be noted that the vulnerable can only be exploited on device that has already been unlocked by the owner after reboot.
Android as an Operating System being open sourced makes it possible to observe the updated version of the OS framework publicly. A commit of the source code can be viewed HERE.
The exploit on the lock screen is possible due to a logic error which exists as a bug in the function of KeyguardHostViewController.java and related files. After the PUK unlock, multiple calls to KeyguardSecurityContainerController#dismiss() were being called from the KeyguardSimPukViewController, which is responsible for the transition to the next security screen by calling KeyguardSecurityContainer#showSecurityScreen. If one of the first dismiss() call come after the security method, it will incorrectly recognize the code as a successful unlock, bypassing the lock screen. This also causes the keyguard to be marked as done, causing screen flickers and an incorrect system state.
USERS ARE STRONGLY RECOMMENDED TO DOWNLOAD THE MOST RECENT ANDROID SECURITY UPDATES AS SOON AS THEY ARE AVAILABLE TO KEEP THEIR ANDROID DEVICES PROTECTED AGAINST ANY POTENTIAL ATTACK.
Source: https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/
About the Author
Ruben George