by On schedule, Google released its November security update for Pixel phones – and looking at the short list of user-facing changes, it would appear to be little more than a version of routine to fix a few bugs, including fixes to reduce power consumption. power consumption, screen flickering and occasional app crashes. However, this update also fixes a pretty serious vulnerability that could allow someone to bypass the lock screen of many Android phones in less than a minute without special software or tools.
This method to bypass the lockscreen was discovered by David Schutz. The surprisingly simple process only requires physical access to a vulnerable phone and an additional PIN-locked SIM card. All that is required is to swap out the extra SIM card, enter an incorrect code for the SIM card three times, and finally enter the PUK code (usually found on the wallet-sized card hence comes from the SIM card). And with these simple steps, the lock screen disappears. David demonstrates the process in the video below.
How it works
The details of how this vulnerability occurs are further explained in David Schütz’s blog post – but to oversimplify it, the problem stems from how Android implements the lock screen, or more specifically, the narrow category of security screens which includes standard lock screens and PUK code entry screen. When a security screen should be displayed, such as after booting up or turning off and back on the screen, Android stacks it on top and does not allow the user to dismiss it without passing conditions (e.g. a fingerprint finger or a valid password). Once the conditions are met, the system broadcasts a signal to close the security screen at the top of this stack and return to all remaining security screens, or to an app or home screen if there is none. has no other security screens on the stack.
The unconventional issue causing this vulnerability is caused by a system service that listens for SIM card state changes. Once the PUK code is accepted and the PIN code is reset on the SIM card, the SIM card becomes active and a system service terminates by closing the PUK security screen and moving the normal lock screen back to the top of the stack . However, when the operating system has finished processing the PUK security screen results, it still broadcasts a message to bypass a security screen. Since there was only one security screen left, the normal lock screen, the system accidentally rejected it and allowed the user to have full access to the device.
What is affected?
There are a few caveats to this workaround, in particular that it is only fully effective on a device that has been unlocked since the last boot. If it has not been unlocked, it is still possible to bypass the lock screen, but private data and most configuration settings will be inaccessible, which will usually cause most phone software to malfunction until until it is restarted. It is still unknown whether this bypass will work on devices with the Advanced Protection Program (APP) enabled.
Moreover, the hack was initially discovered on a Pixel phone, but the bug lies in the code available in the Android Open Source Project (AOSP). Therefore, any device running software based on this code may also be vulnerable. Some people have already reported that devices running Lineage are vulnerable, and probably GrapheneOS as well. However, some reports indicate that recent Samsung devices are not.
Google released a bug fix
Google’s fix for this bug is quite simple. Rather than increasing the behavior of the SIM card activation system service, which may leave room for other bugs, the Android team has increased the broadcast message to require a new parameter that specifies the type of security screen to dismiss. By doing so, there should be no risk of accidentally discarding the wrong screen type from the stack.
This vulnerability is officially registered as CVE-2022-20465. Google released the fixes in the Android 13 branch on AOSP, but was also backported to the Android 10, 11, and 12 branches.
Google usually communicates warnings about vulnerabilities to its hardware partners before public releases. It is therefore likely that most manufacturers will soon deploy security updates to all devices that may be vulnerable.
$70,000 bug bounty
For reporting the problem, Google paid David $70,000 through its Bug Bounty program, which has paid out millions over the years. Unfortunately, the process did not go as smoothly as it probably should have. According to David’s account of events, he attempted to report the issue about five months ago, at which time Google claimed he was a dupe and not eligible for a reward . Months later, after demonstrating the issue to some Google employees and then following a deadline for public disclosure, it was finally patched and resolved.
This situation demonstrates the need for regular, long-term security updates for phones that are likely still in service. Naturally, anyone with a potentially vulnerable phone should install the latest security updates as soon as they become available. In the meantime, it’s not a viable strategy for regular use, but restarting a phone without unlocking it should prevent people from accessing your private data.
#OneMinute #Hack #Enabled #Lock #Screen #Bypass #Android #Current #Pixels #Safe
