Cybersecurity researcher discovers a way to pass lockscreen on Pixel devices
Cybersecurity researcher David Schutz has discovered a serious vulnerability that allows anyone to pass the lock screen on a Pixel smartphone. According to Schutz, the only thing an attacker needs to pass the lock screen is a SIM card and access to the device. In his blog post, he adds that the “vulnerability is tracked as CVE-2022-20465 and it might affect other Android vendors as well.” It is not clear if other phone manufacturers are also impacted. Keep in mind that he was only able to create and recreate the flaw on a Pixel device.
“I found a vulnerability affecting seemingly all Google Pixel phones where if you gave me any locked Pixel device, I could give it back to you unlocked,” wrote Schutz in a blog post documenting the vulnerability.
He added that Google has patched the vulnerability in a security update released on November 5, 2022.
I found a vulnerability that allowed me to unlock any @Google Pixel phone without knowing the passcode. This may be my most impactful bug so far.
Google fixed the issue in the November 5, 2022 security patch. Update your devices!https://t.co/LUwSvEMF3w
— David Schütz (@xdavidhu) November 10, 2022
Finding something wrong with Android
The discovered the vulnerability when his phone ran out of battery one day. At the time, he connected the device’s charger and booted up the phone. Once he did this, he was asked to enter the security PIN for the SIM card that was in the phone. Since he didn’t remember it correctly at the time, he ended up entering the PIN incorrectly three times.
At this point, the SIM card got locked and Schutz had to enter the SIM’s PUK code in order to unlock it. After he entered the PUK code, the phone asked him to enter a new PIN. After he did that, he noticed something peculiar. The phone was displaying the fingerprint icon, which was not supposed to happen.
Usually, after a phone is rebooted, it will not initially accept fingerprint unlocking unless the device’s pin code or password has been entered at least once. But the phone accepted Schutz’s fingerprint, and then it got stuck on a screen until he rebooted it again.
” id=”yt-wrapper-box” >
Discovering the vulnerability
He then tried to replicate the process without rebooting the phone. He removed the SIM tray of the phone while it was still switched on and reinserted the tray. He incorrectly entered the PIN three times, then entered the PUK and set a new PIN. At this point, the phone took him to the unlocked home screen, despite the fact that the device was locked before.
Schutz then repeated the process multiple times and got the same result each time—the phone got unlocked despite him not entering the password or using his fingerprint.
According to Schutz, he initially reported the vulnerability to Google in June this year. It has been fixed in a security patch released on November 5.