Cybersecurity researcher David Schutz has discovered a serious vulnerability that allows anyone to bypass the lock screen on a Pixel smartphone. According to Schutz, all an attacker needs to bypass the lock screen is a SIM card and access to the device. In his blog post, he adds that “the vulnerability is tracked as CVE-2022-20465 and could also affect other Android vendors.” It is not clear if other phone manufacturers are also affected. He notes that he was only able to create and recreate the glitch on a Pixel device.
“I found a vulnerability that apparently affected all Google Pixel phones where if you gave me a locked Pixel device, I could return it to you unlocked,” Schutz wrote in a blog post documenting the vulnerability.
He added that Google patched the vulnerability in a security update released on November 5, 2022.
Find something wrong with Android
He discovered the vulnerability when his phone ran out of battery one day. At that point, she plugged in the device’s charger and turned on the phone. Once she did this, she was prompted to enter the security PIN for the SIM card that was in the phone. Since he didn’t remember it correctly at the time, he ended up entering the PIN incorrectly three times best cyber security schools.
At this point, the SIM card was blocked and Schutz had to enter the SIM’s PUK code to unlock it. After entering the PUK code, the phone asked you to enter a new PIN. After doing that, he noticed something peculiar. The phone was showing the fingerprint icon, which was not supposed to happen.
Typically, after a phone is reset, it will not initially accept fingerprint unlock unless the device’s PIN code or password has been entered at least once. But the phone accepted Schutz’s fingerprint and then got stuck on a screen until he reset it again.
discovering vulnerability
Then tried to replicate the process without rebooting the phone. He removed the SIM tray from the phone while it was still on and reinserted the tray. He entered the PIN incorrectly three times, then entered the PUK and set a new PIN. At this point, the phone took you to the unlocked home screen, even though the device was locked before online cybersecurity courses.
Schutz then repeated the process several times and got the same result each time: the phone unlocked even though he didn’t enter the password or use his fingerprint.
According to Schutz, he initially reported the vulnerability to Google in June of this year. It has been fixed in a security patch released on November 5.