Cybersecurity researcher David Schutz accidentally found a way to bypass the screen lock on fully patched Google Pixel 6 and Pixel 5 smartphones, allowing anyone with physical access to the device to unlock it. Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that shouldn’t take more than a few minutes.

Google fixed the security issue in the latest Android update released last week, but it remained exploitable for at least six months.

waif

Schütz says he discovered the vulnerability by accident when the Pixel 6’s battery died, after entering its PIN incorrectly three times and recovering a locked SIM card using a PUK (Personal Unblocking Key). Surprisingly, after unlocking the SIM card and choosing a new PIN, the device did not ask for a password to lock the screen, only a fingerprint scan.

Android devices always ask for a screen lock password or pattern when rebooting for security reasons so going straight to fingerprint unlock was not normal. The researcher kept trying and realized that when he tried to reproduce the error without restarting the device and starting from an unlocked state, he could bypass the fingerprint request by going directly to the home screen.

The impact of this vulnerability is wide-ranging, affecting all devices running Android 10, 11, 12, and 13 that have not been updated to the November 2022 patch. Physical access to the device is a prerequisite. However, the vulnerability still has serious consequences for those who are abused by their spouses, those targeted by law enforcement, owners of stolen devices, and more.

The attacker can use the SIM card on the target device, disable biometric authentication (if blocked), enter the wrong PIN three times, provide the PUK number and gain unlimited access to the victim’s device.

Google fix

The issue is caused by an invalid keyboard protection rejection after a SIM PUK unlock due to a conflict in reject calls affecting the stack of security screens triggered in the dialog. When Schütz entered the correct PUK number, the “deny” function was called twice: once by the background component that monitors the status of the SIM card, and once by the PUK component.

This caused not only the PUK security screen to be rejected, but also the next security screen in the stack with a keypad lock, followed by whatever screen was next in the stack. If there is no other security screen, the user will be taken directly to the home screen. Schütz reported the vulnerability to Google in June 2022 and did not release a patch until November 7, 2022, although the tech giant acknowledged receipt and assigned CVE-2022-20465.

Google’s solution is to enable a new parameter for the security method used in each “deny” call, so that the calls reject certain types of security screens, not just the next one in the stack. In the end, although Schütz’s report was a duplicate, Google took the exception and gave the researcher $70,000 for his discovery. Android 10, 11, 12 and 13 users can fix this vulnerability by installing the 7 November 2022 security update.