Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Mobile & Wireless

Google Pays $70k for Android Lock Screen Bypass

Google recently handed out a $70,000 bug bounty reward for an Android vulnerability leading to lock screen bypass, security researcher David Schutz says.

Google recently handed out a $70,000 bug bounty reward for an Android vulnerability leading to lock screen bypass, security researcher David Schutz says.

Tracked as CVE-2022-20465, the security bug was resolved as part of the November 2022 Android patches, and could have allowed an attacker with physical access to a device to unlock it in minutes.

The issue, which Schutz accidentally discovered, could allow an attacker to unlock an Android phone by triggering the SIM PIN reset mechanism, which requires the user to enter a PUK code.

In this scenario, an attacker with physical access to a locked device would have to hot-swap the SIM card with one they own, and then enter the wrong personal identification number (PIN) three times to trigger the PIN reset process, which prompts for the SIM’s 8-digit personal unlocking key (PUK) code. The attacker is assumed to have the PUK code if they insert their own SIM card into the phone.

Once the attacker enters the PUK code, they are provided with full access to the device, without being prompted to provide the phone’s PIN, a password, or an unlocking pattern.

The vulnerability, a lock screen bypass due to an error in the “dismiss and related functions of and related files”, impacts devices running Android 10, 11, 12, and 13. Google describes the issue as an elevation of privilege bug.

The underlying issue, Schutz says, is a race condition vulnerability in a .dismiss() function called after the PUK code has been entered. The function is meant to dismiss the current security screen, which should have been the PUK prompt.

Advertisement. Scroll to continue reading.

Because of this vulnerability, however, the component monitoring the SIM state in the background would change the security screen right before the .dismiss() function was called, resulting in the PIN/password/pattern screen being dismissed instead and the phone being unlocked.

“It seems like this background component set the normal e.g. fingerprint screen as the active security screen, even before the PUK component was able to get to its own .dismiss() function call. By the time the PUK component called the .dismiss() function, it actually dismissed the fingerprint security screen, instead of just dismissing the PUK security screen, as it was originally intended,” Schutz says.

To address the vulnerability, Google modified the .dismiss() function by adding a new parameter, where the function caller specifies which type of security screen should be dismissed.

“In our case, the PUK component now explicitly calls .dismiss(SecurityMode.SimPuk), to only dismiss security screens with the type of SimPuk. If the currently active security screen is not a SimPuk screen (because maybe some background component changed it, like in our case), the dismiss function doesn’t do anything,” Schutz notes.

The researcher reported the vulnerability to Google in mid-June. A few months later, the internet giant told him that the report was a duplicate.

Schutz says he was able to demonstrate the issue in front of several Google engineers in September at an event and that, after engaging again with the bug bounty program team, the internet giant decided to expedite the release of patches and to award him $70,000.

The researcher confirmed the vulnerability on Pixel 5 and Pixel 6 phones, but other Android devices might be impacted as well. Updating to an Android security patch level of 2022-11-05 or later resolves the bug.

Related: Google Patches High-Severity Privilege Escalation Vulnerabilities in Android

Related: Android Security Updates Patch Critical Vulnerabilities

Related: Google Patches Critical Vulnerabilities in Pixel Phones

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...