A simple Android lock screen bypass bug netted a researcher $70,000
Google has paid $70,000 to a security researcher for privately reporting an “accidental” security flaw that allowed anyone to unlock Google Pixel phones without knowing the password.
The lock screen bypass flaw, tracked as CVE-2022-20465, is described as a local escalation of privilege flaw because it allows someone, with the device in hand, to access the device’s data without having to enter the lock screen password.
Hungary-based researcher David Schutz said the bug was remarkably easy to exploit, but it took Google about five months to fix.
Schütz discovered that anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter the preset recovery code to bypass the Android operating system’s lock screen protection. In a blog post about the bug, published now that the bug has been fixed, Schütz described how he discovered the bug by accident and reported it to Google’s Android team.
Android lock screens allow users to enter a numeric passcode, passcode or pattern to protect the phone’s data, or these days a fingerprint or face print. Your phone’s SIM card can also have its own PIN to block a thief from throwing out and physically stealing your phone number. But SIM cards have an additional personal unlock code, or PUK, to reset the SIM card if the user enters the PIN incorrectly more than three times. PUK codes are fairly easy for device owners to obtain, often printed on the SIM card packaging or directly from the mobile operator’s customer service.
Schütz found that the flaw meant that entering a SIM card’s PUK code was enough to trick his fully-patched Pixel 6 phone, and his older Pixel 5, into unlocking his phone and data, without ever showing the lock screen. He warned that other Android devices could also be vulnerable.
Since a malicious actor can bring his own SIM card and associated PUK code, only physical access to the phone is required, he said. “The attacker could simply change the SIM card in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,” Schütz said.
Google could pay security researchers up to $100,000 for privately reporting bugs that could allow someone to bypass the lock screen, since a successful exploit would allow access to a device’s data. The bug bounties are high in part to compete with the efforts of companies like Cellebrite and Grayshift, which rely on software exploits to build and sell phone-cracking technology to law enforcement agencies. In this case, Google paid Schütz a smaller $70,000 bug bounty reward because while his bug was marked as a duplicate, Google failed to reproduce – or fix – the bug reported before him.
Google fixed the Android flaw in a security update released on November 5, 2022 for devices running Android 10 through Android 13. You can watch Schütz exploit the flaw in his video below.