Bill Toulas* says an Android phone owner has accidentally found a way to bypass the lock screen.
Cybersecurity researcher David Schütz accidentally found a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it.
Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that wouldn’t take more than a few minutes.
Accidental finding
Schütz says he discovered the flaw by accident after his Pixel 6 ran out of battery, entered his PIN wrong three times, and recovered the locked SIM card using the PUK (Personal Unblocking Key) code.
To his surprise, after unlocking the SIM and selecting a new PIN, the device didn’t ask for the lock screen password but only requested a fingerprint scan.
Android devices always request a lock screen password or pattern upon reboot for security reasons, so going straight to fingerprint unlock wasn’t normal.
The researcher continued experimenting, and when he tried reproducing the flaw without rebooting the device, he figured it was possible to go straight to the home screen (bypass fingerprint too), as long as the device had been unlocked by the owner at least once since reboot.
The impact of this security vulnerability is quite broad, affecting all devices running Android versions 10, 11, 12, and 13 that haven’t updated to November 2022 patch level.
Physical access to a device is a strong prerequisite.
However, the flaw still carries severe implications for people with abusive spouses, those under law enforcement investigations, owners of stolen devices, etc.
The attacker can simply use their own SIM card on the target device, enter the wrong PIN three times, provide the PUK number, and access the victim’s device without restrictions.
Google’s patching
The issue is caused by the keyguard being wrongfully dismissed after a SIM PUK unlock due to a conflict in the dismiss calls impacting the stack of security screens that run under the dialog.
When Schütz entered the correct PUK number, a “dismiss” function was called twice, once by a background component that monitors the SIM state, and once by the PUK component.
This caused not only the PUK security screen to be dismissed but also the next security screen in the stack, which is the keyguard, followed by whatever screen was next queued in the stack.
If there’s no other security screen, the user would directly access the home screen.
Schütz reported the flaw to Google in June 2022, and although the tech giant acknowledged the reception and assigned a CVE ID of CVE-2022-20465, they didn’t release a fix until November 7, 2022.
Google’s solution is to include a new parameter for the security method used in every “dismiss” call so that the calls dismiss specific types of security screens and not just the next one in the stack.
In the end, although Schütz’s report was a duplicate, Google made an exception and awarded the researcher $70,000 for his finding.
Users of Android 10, 11, 12, and 13 can patch this flaw by applying the November 7, 2022, security update.
*Bill Toulas is a technology writer and infosec news reporter with over a decade of experience working on various online publications.
This article first appeared at bleepingcomputer.com.