A critical Lock screen bypass bug allows anyone to bypass all formats of lock screen protections including fingerprint, pattern, and PIN, by swapping the new SIM with the help of a PUK code.
A local privilege escalation bug resides in the Google Pixel Phone model due to a logical error in the code that allows an attacker to exploit this bug without any additional execution privileges or user interaction.
The following Android Versions are vulnerable to this bug:-
The bug was fixed by Google and released a patch update in this November Android security updates and assigned to CVE-2022-20465 with the following explanation:
“In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lock screen bypass due to a logic error in the code.”
Bypass Google Pixel Lock Screen
The researcher explained this bug with a simple SIM Swapping technique that required a new SIM with the PUK code that trigger the bug to bypass the screen and unlock the Pattern, passcode, and fingerprint.
PUK (Personal Unlocking Key) Code is used to unlock the SIM card PIN number when the user forgot and types the wrong PIN code consecutively 3 times. The PUK code can be found printed on the SIM card package.
The bug was trigged and exploited under the following steps that were performed by the researcher.
- Lock the vulnerable Pixel Phone and type the wrong PIN 3 times.
- Perform Hot Swap, a new SIM will be replaced with the old SIM on the same SIM tray.
- Now attempt to reset the PIN by entering the PUK code assigned to the new SIM card (An Attack SIM)
- As soon as the attacker types the PUK code, the Phone will let them in by allowing them to change the new PIN.
“I realized that indeed, this is a got damn full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too.” The researcher said in his public write-up.
“After PUK unlock, multiple calls to KeyguardSecurityContainerController#dismiss() were being called from the KeyguardSimPukViewController, which begins the transition to the next security screen, if any.”
At the same time, other parts of the system, also listening to SIM events, recognize the PUK unlock and call KeyguardSecurityContainer#showSecurityScreen, which updates which security method comes next.
After boot, this should be one of PIN, Password, or Pattern, assuming they have a security method.
If one of the first dismiss() calls comes AFTER the security method changes, this is incorrectly recognized by the code as a successful PIN/pattern/password unlock. said in the Android Bug report.
Patch Advisory & Rewards:
Google has acknowledged the bug after multiple reporting attempts by the researcher and rewarded $70k, once the Android security team was able to reproduce the bug. The same bug was reported earlier this year at that time they weren’t able to reproduce the same bug.
“The same issue was submitted to our program earlier this year, but we were not able to reproduce the vulnerability. When you submitted your report, we were able to identify and reproduce the issue and began developing a fix.” Google said during the bug report communication.
“We typically do not reward duplicate reports; however, because your report resulted in us taking action to fix this issue, we are happy to reward you the full amount of $70,000 USD for this LockScreen Bypass exploit!”
- How to fix:
- Update your device to the November 5, 2022, Security Update.
- An update can be triggered manually by going to Settings -> Security -> Security update -> Check for update. You might have to do it multiple times.
- More info about updating a Pixel device at the official help page.
- Affected devices:
- Seemingly all Google Pixel devices.
- Since the patch is in AOSP, other Android vendors might be affected.
- If you can’t update:
- Turn off your phone before leaving it unattended.
- This prevents access to the encrypted user data, but might still allow persistence.