David Schütz, a cyber security researcher accidentally found a new way to unlock the screen on Google Pixel 6 and Pixel 5 mobile phones. The new way enables any person to access the device to unlock it.
The bypass to unlock the screen on Android mobile phones is no more than a five-step process and that hardly takes a few minutes.
Google has, therefore, fixed the issue of security on the latest Android update that was released last week but it remained for exploitation for up to six months.
According to the researcher, he discovered the flaw in the system by accident. All he was trying to do was unlock his Pixel 6 which ran out better. After entering his mobile PIN wrong three times, he recovered his mobile by locking his SIM card using the Personal Unblocking Key (PUK) code.
Then is when the miracle happened. Soon after he unlocked his SIM and created a new PIN number, the device did not ask for the lock screen password but instead only requested his fingerprint scan.
Most Android devices always demand a lock screen password or pattern upon reboot for safety reasons, so going directly to fingerprint unlock wasn’t usual for David.
He kept on experimenting and tried to reproduce the flaw by not rebooting the device. He started from an unlocked state. He soon figured out that it was possible to bypass the fingerprint scan which takes you straight to the home screen.
The effect of this security exposure is quite broad, impacting all devices running Android versions 10, 11, 12, and 13 that haven’t been revised to November 2022.
What the attacker can do is simply use their sim card on the targeted device. They can disable biometric authentication if the device is locked. By entering the wrong pin three times, the attacker will be provided with the PUK number which will help him access the person’s device without any constraints.
What happens when the issue is caused is that the keyguard is wrongfully dismissed after a SIM PUK unlock which is further due to a clash in the dismiss calls affecting the stack of security screens that runs under the dialog.
In Schütz’s case, when he entered the correct PUK number, a “dismiss” function was called twice. One time by a background component that monitors the SIM state, and the other by the PUK component.
The PUK security screen not only just got dismissed but also affected the other security screen which is the keyguard, which further affected whatever was next at stake.
When there is no other security screen left, the user will be able to directly access the home screen of any mobile phone which shows how significant the problem is.
However, David did report the flaw to Google in June 2022. The tech giant then acknowledged the reception and allotted a CVE ID of CVE-2022-20465; they didn’t release a fix until November 7, 2022.
In the end, although Schütz’s report was a copy, Google made an exception and rewarded the researcher $70,000 for his finding.
Users of Android 10, 11, 12, and 13 can fix this drawback by using the November 7, 2022, security update.