Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Google Pays $70k for Android Lock Screen Bypass

Google recently handed out a $70,000 bug bounty reward for an Android vulnerability leading to lock screen bypass, security researcher David Schutz says.

Google recently handed out a $70,000 bug bounty reward for an Android vulnerability leading to lock screen bypass, security researcher David Schutz says.

Tracked as CVE-2022-20465, the security bug was resolved as part of the November 2022 Android patches, and could have allowed an attacker with physical access to a device to unlock it in minutes.

The issue, which Schutz accidentally discovered, could allow an attacker to unlock an Android phone by triggering the SIM PIN reset mechanism, which requires the user to enter a PUK code.

In this scenario, an attacker with physical access to a locked device would have to hot-swap the SIM card with one they own, and then enter the wrong personal identification number (PIN) three times to trigger the PIN reset process, which prompts for the SIM’s 8-digit personal unlocking key (PUK) code. The attacker is assumed to have the PUK code if they insert their own SIM card into the phone.

Once the attacker enters the PUK code, they are provided with full access to the device, without being prompted to provide the phone’s PIN, a password, or an unlocking pattern.

The vulnerability, a lock screen bypass due to an error in the “dismiss and related functions of KeyguardHostViewController.java and related files”, impacts devices running Android 10, 11, 12, and 13. Google describes the issue as an elevation of privilege bug.

The underlying issue, Schutz says, is a race condition vulnerability in a .dismiss() function called after the PUK code has been entered. The function is meant to dismiss the current security screen, which should have been the PUK prompt.

Because of this vulnerability, however, the component monitoring the SIM state in the background would change the security screen right before the .dismiss() function was called, resulting in the PIN/password/pattern screen being dismissed instead and the phone being unlocked.

“It seems like this background component set the normal e.g. fingerprint screen as the active security screen, even before the PUK component was able to get to its own .dismiss() function call. By the time the PUK component called the .dismiss() function, it actually dismissed the fingerprint security screen, instead of just dismissing the PUK security screen, as it was originally intended,” Schutz says.

To address the vulnerability, Google modified the .dismiss() function by adding a new parameter, where the function caller specifies which type of security screen should be dismissed.

“In our case, the PUK component now explicitly calls .dismiss(SecurityMode.SimPuk), to only dismiss security screens with the type of SimPuk. If the currently active security screen is not a SimPuk screen (because maybe some background component changed it, like in our case), the dismiss function doesn’t do anything,” Schutz notes.

The researcher reported the vulnerability to Google in mid-June. A few months later, the internet giant told him that the report was a duplicate.

Schutz says he was able to demonstrate the issue in front of several Google engineers in September at an event and that, after engaging again with the bug bounty program team, the internet giant decided to expedite the release of patches and to award him $70,000.

The researcher confirmed the vulnerability on Pixel 5 and Pixel 6 phones, but other Android devices might be impacted as well. Updating to an Android security patch level of 2022-11-05 or later resolves the bug.

Related: Google Patches High-Severity Privilege Escalation Vulnerabilities in Android

Related: Android Security Updates Patch Critical Vulnerabilities

Related: Google Patches Critical Vulnerabilities in Pixel Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.