Android security blocked by PUK reset trick
A security researcher has received a $70,000 bug bounty payout after accidentally discovering a Google Pixel lock screen bypass hack.
The vulnerability, discovered by David Schütz, meant an attacker could unlock any Google Pixel phone without knowing the passcode. Google fixed the issue (tracked to CVE-2022-20465) with a November update, allowing Schütz to go public with his findings.
The vulnerability created a way for a potential hacker to bypass lock screen protections such as fingerprint or PIN authentication and gain physical access to a target device. The hack could be done with minimal technical skills on a range of mobile devices running Android, following a series of steps.
Fortunately, the exploit is not something that would lend itself to remote exploitation.
As explained in a blog post, Schütz encountered the problem by chance when he forgot the PIN code of his Pixel phone and had to use the PUK code to regain access. After successfully completing the process, he noticed some quirks in the lock screen he was facing.
“It was a fresh start, and instead of the usual lock icon, the fingerprint icon showed up,” Schütz recalls. “It accepted my finger, which shouldn’t happen because after a reboot, you have to enter the lock screen PIN or password at least once to decrypt the device.”
After accepting his finger, the device crashed with a strange “Pixel is starting…” message, which Schütz addressed with a forced restart.
RECOMMENDED GhostTouch: Hackers Can Access Your Phone’s Touchscreen Without Even Touching It
Schütz decided to investigate the matter over the next few days. On one occasion he forgot to restart the phone and just started from a normal unlocked state, locked the device and hot-swapped the SIM card tray, before performing the process of resetting the SIM card PIN.
After following this sequence before entering the PUK and choosing a new PIN, Schütz was presented with his unlocked home screen.
The researcher found that he had achieved a complete bypass of the lock screen on the fully patched Pixel 6. The same trick worked on a Pixel 5.
Schütz realized that the hack would be easily exploited by anyone from spies to crooks and jealous spouses.
“Since the attacker could simply bring their own PIN-locked SIM card, nothing but physical access was required for exploitation. The attacker could simply swap the SIM card in the victim’s device and run the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.
Badge of Perplexity
Schütz reported the issue to Google, and the tech giant addressed and reported the bug quickly, but it took much longer to resolve.
After telling Schütz that the issue was a duplicate, and therefore not normally eligible for bug bounty, Google took no action for a few weeks, before Schütz repeatedly sued and demonstrated the exploit to Google employees. at a bug squashing event hosted by Google called ESCAL8 in September prompted action.
Shortly after, Google said that even though Schütz’s report was a duplicate, it only started working on a fix because of its submission, so the company decided to pay it a bounty. $70,000 for lock screen bypass.
The bug was fixed on November 5, allowing Schütz to disclose his findings and a video demonstrating the flaw.
Keep up to date with the latest hardware-related security news and analysis
The researcher inferred from code changes that Android security screens can be stacked “on top of each other”.
“When the SIM PUK has been successfully reset, a .dismiss() was called by the PUK reset component on the “security screen stack”, causing the device to discard the current one and display the security screen that was “below” in the stack” , he explained.
” Since .dismiss() function simply rejected the current security screen, it was vulnerable to race conditions”, which meant that the PUK reset component could reject an unrelated security screen, modified by a background process.
Google changed the code, so it explicitly calls the security screen type to reject.
The daily sip invited Google to comment and asked Schütz follow-up questions about his experience with bug hunting and mobile security. No word yet, but we’ll update this story as more information becomes available.
YOU MIGHT ALSO LIKE Boffins revives the crypto concept of a unique program
#Google #Pixel #lock #screen #hack #nets #researcher