Dangerous SIM Switch Lock Screen Bypass – Update Android Now! – Naked security
A bounty hunter named David Schütz has just published a detailed report detailing how he crossed swords with Google for months over what he considered a dangerous Android security hole.
According to Schütz, he stumbled upon a total Android lock screen bypass bug completely by accident in June 2022, under real-world conditions that could easily have happened to anyone.
In other words, it was reasonable to assume that other people could find out about the bug without consciously looking for bugs, making its discovery and public disclosure (or private abuse) as a zero-day loophole much more likely than usual.
Unfortunately, it wasn’t patched until November 2022, which is why he’s only revealing it now.
A serendipitous battery failure
Simply put, he found the fault because he forgot to turn off or charge his phone before embarking on a long trip, and let the device run out of juice unnoticed while he was on the road.
According to Schütz, he rushed to send some messages after getting home (we’re guessing he’d been on a plane) with the small amount of power still left in the battery…
…when the phone died.
We’ve all been there, looking for a charger or spare battery pack to get the phone rebooted to tell people we’ve arrived safely, waiting for baggage claim, reached the train station, expecting to be home in 45 minutes, could stop at the shops if someone urgently needs something, or whatever we have to say.
And we’ve all struggled with passwords and PINs when we’re in a hurry, especially if they’re codes that we rarely use and never developed the “muscle memory” to enter.
In Schütz’s case, it was the humble PIN on his SIM card that surprised him, and because SIM PINs can be as short as four digits, they’re protected by a hardware lock that limits you to three guesses at most . (We’ve been there, done that, locked ourselves out.)
After that, you must enter a 10-digit “master PIN” known as PUK, short for personal revocation keywhich is usually printed inside the packaging in which the SIM card is sold, making it largely tamper-proof.
And to protect against PUK guessing attacks, the SIM card automatically freezes after 10 incorrect attempts, and must be replaced, which typically means fronting up to a mobile phone shop with identification.
What did I do with that packaging?
Luckily, because he wouldn’t have found the error without it, Schütz found the original SIM packaging stored somewhere in a cupboard, scraped off the protective strip that hides the PUK, and typed it in.
At this point, given that he was in the process of booting up the phone after it ran out of power, he should have seen the phone’s lock screen requiring him to enter the phone’s unlock code…
…but instead he realized that he was on the wrong type of lock screenbecause it gave him a chance to unlock the device with just his fingerprint.
It’s only supposed to happen if your phone is locked while in normal use, and not after a shutdown and reboot, when a full passcode reauthentication (or one of those swipe-to-unlock “pattern codes”) should be enforced.
Is there really a “lock” on your lock screen?
As you probably know from the many times we’ve written about lock screen bugs over the years at Naked Security, the problem with the word “lock” in the lock screen is that it’s simply not a good metaphor to represent how complex the code is that manages the process of “lock” and “unlock” modern phones.
A modern mobile lock screen is a bit like a house door that has a decent quality deadbolt lock fitted…
…but also has a letter box (mail hatch), glass panels to let in light, a cat flap, a stretchable spring lock that you’ve learned to trust because the lock is a bit of a hassle, and an external wireless doorbell/security camera that’s easy to steal yourself whether it contains your Wi-Fi password in plain text and the last 60 minutes of video footage it has recorded.
Oh, and in some cases, even a secure front door will have the keys “hidden” under the doormat anyway, just in case, which is pretty much the situation Schütz found himself in on his Android phone.
A map of convoluted passages
Modern phone lock screens aren’t so much about locking your phone as restricting your apps to limited modes of operation, which nevertheless usually give you and your apps access to a copious number of “special cases”, such as activating the camera even when the phone is locked, or pops up a select set of notification messages or email subject lines.
What Schütz had come across, in an absolutely inevitable sequence of operations, was a flaw in what is called in the jargon the lock screen state machine.
A state machine is a kind of graph, or map, of the states a program can be in, along with the legal ways the program can move from one state to another, such as a network connection switching from “listening” to “connected”, and then from “connected” to “verified”, or a phone screen changing from “locked” either to “unlockable with fingerprint” or to “unlockable but only with a password”.
As you can imagine, state machines for complex tasks quickly become complicated themselves, and the map of different legal paths from one state to another can end up full of twists and turns…
…and sometimes exotic hidden passages that no one noticed during testing.
Schütz was actually able to repurpose his accidental PUK discovery into a generic lock screen bypass where anyone who picked up (or stole, or otherwise had brief access to) a locked Android device could trick it into an unlocked state at gunpoint with something more than a separate SIM card and a paper clip.
In case you’re wondering, the paper clip is for ejecting the SIM card that’s already in the phone so you can insert the new SIM card and trick the phone into saying “I need to ask for the PIN for this new SIM card by security reasons”. Schütz admits that when he went to Google’s offices to demonstrate the hack, no one had a proper SIM ejector, so they first tried a needle, which Schütz managed to stick himself with, before succeeding with a borrowed earring. We suspect that sticking the needle into the point first didn’t work (it’s hard to hit the ejector pin with a small point), so he decided to risk using the pointer outward while “being very careful”, thus reversing a hacking attempt to a literal hack.
Play the system with a new SIM card
Given that the attacker knows both the PIN and PUK of the new SIM card, they can deliberately get the PIN wrong three times and then immediately get the PUK right, thus deliberately forcing the lock screen’s state machine into the insecure state that Schütz discovered by accident.
With the right timing, Schütz found that he could not only land on the fingerprint unlock page when it wasn’t supposed to be displayed, but also trick the phone into accepting the successful PUK unlock as a signal to reject the fingerprint screen and “validate” the entire unlock process as if he had typed enter the phone’s full lock code.
Unfortunately, much of Schütz’s article describes how long it took Google to respond to and fix this vulnerability, even after the company’s own engineers had determined that the bug was indeed repeatable and exploitable.
As Schütz himself put it:
This was the most impactful vulnerability I’ve found to date and it crossed a line for me where I really started to worry about the fix timeline and even just keeping it a “secret” myself. I may be overreacting, but I mean not too long ago the FBI was fighting with Apple over almost the same thing.
delays in disclosure
Given Google’s stance on bug disclosure, with its own Project Zero team notoriously adamant about the need to set strict disclosure times and stick to them, you might have expected the company to stick to its 90-days-plus-14 -extra-in- special cases rules, but according to Schütz it could not do it in this case.
Apparently he had agreed on a date of October 2022 when he planned to reveal the bug publicly, as he has now done, which seems like plenty of time for a bug he discovered back in June 2022.
But Google missed that October deadline.
The update for the flaw, designated bug number CVE-2022-20465, finally appeared in Android’s November 2022 Security Updates, dated 2022-11-05, with Google describing the fix as: “Do not reject the keypad lock after SIM PUK locking.”
In technical terms, the error was what is known a running condition, where the part of the operating system that saw the PUK entry process to keep track of “is it safe to unlock the SIM now?” the state ended up producing a success signal that trumped the code that simultaneously kept track of “is it safe to unlock the whole device?”
Still, Schütz is now considerably richer thanks to Google’s bug bounty payout (his report makes it clear he was hoping for $100,000, but he had to settle for $70,000 in the end).
And he held out on revealing the flaw longer than he originally bargained for, presumably accepting that discretion is sometimes the better part of valor.
What to do?
Check that your Android is up to date: go to Settings > Safety > Security update > Check for update.
Note that when we visited the security update screen, after not using our Pixel phone for a while, Android boldly proclaimed that your system is up to date, indicating that it had checked automatically a minute or so earlier, but still told us that we were on Security Update 5 October 2022.
We forced another update check manually and were immediately told Preparing system update…, followed by a short download, a long preparatory phase and then a reboot request.
After rebooting, we reached the patch level of November 5, 2022.
We then went back and did another post-update check to confirm that there were no fixes still outstanding.