Google patches a high severity bug in Pixel
Google has addressed a high-severity security bug, tracked as CVE-2022-20465, affecting all Pixel smartphones that could be exploited to unlock the devices.
The issue allowed an attacker with physical access to bypass the lock screen protections and gain complete access to the user’s device. The vulnerability is tracked as CVE-2022-20465 and it might affect other Android vendors as well. The expert discovered how to unlock a Pixel phone using a PIN-locked SIM card and knowing its PUK code.
The researcher noticed an unusual behavior of his mobile divide during a journey and started looking at it again the next day. After rebooting the phone, putting in the incorrect PIN 3 times, entering the PUK, and choosing a new PIN, he noticed that the device went to the initial booting state.
The researcher made further tests and discovered that is possible to bypass lock screen protections with the following sequence of actions.
- Supply the wrong fingerprint three times on the locked device, this causes to disable biometric authentication.
- Hot swap the SIM tray using an attacker-controlled SIM and reset the PIN.
- Enter the incorrect SIM PIN three times, causing the lock of the SIM card.
- In order to unlock the device, it is requested to enter the SIM’s Personal Unlocking Key (PUK) code.
- Enter a new PIN code for the attacker-controlled SIM
- The devices unlocks.
The researcher reported the vulnerability in June 2022 and Google fixed it with the release of an Android update in November 2022.
The flaw was reported by the security researcher David Schütz and Google awarded $70,000 for this flaw.