Google has resolved a higher-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the gadgets.
The vulnerability, tracked as CVE-2022-20465 and documented by security researcher David Schütz in June 2022, was remediated as component of the look for giant’s every month Android update for November 2022.
“The issue permitted an attacker with physical entry to bypass the lock screen protections (fingerprint, PIN, etcetera.) and gain finish access to the user’s system,” Schütz, who was awarded $70,000 for the lock monitor bypass, explained in a generate-up of the flaw.
The challenge, for every the researcher, is rooted in the truth that lock display screen protections are fully defeated when subsequent a precise sequence of steps –
- Offer incorrect fingerprint three occasions to disable biometric authentication on the locked system
- Incredibly hot swap the SIM card in the unit with an attacker-controlled SIM that has a PIN code established up
- Enter incorrect SIM pin thrice when prompted, locking the SIM card
- Device prompts user to enter the SIM’s Own Unlocking Essential (PUK) code, a special 8-digit range to unblock the SIM card
- Enter a new PIN code for the attacker-controlled SIM
- Product quickly unlocks
This also suggests that all an adversary requires to unlock a Pixel phone is to provide their have PIN-locked SIM card and is in possession of the card’s PUK code.
“The attacker could just swap the SIM in the victim’s system, and execute the exploit with a SIM card that had a PIN lock and for which the attacker understood the correct PUK code,” Schütz claimed.
An investigation of the supply code commits produced by Google to patch the flaw shows that it’s triggered by an “incorrect procedure condition” released as a result of wrongly interpreting the SIM transform function, triggering it to entirely dismiss the lock monitor.
“I was not expecting to result in this significant of a code adjust in Android with this bug,” Schütz concluded.
Identified this write-up interesting? Observe THN on Facebook, Twitter and LinkedIn to study far more distinctive material we put up.
Some parts of this article are sourced from:
thehackernews.com