Right on schedule, Google released its security update for Pixel phones in November — and judging by the short list of user-facing changes, it appears to be little more than a routine release to address a few bugs, including fixes to reduce power consumption, screen flickering and the occasional app crash. However, this update also fixes a pretty serious vulnerability that could allow a person to bypass the lock screen of many Android phones in less than a minute without any software or special tools.
This lock screen bypass method was discovered by David Schutz. The surprisingly simple process only requires physical access to a vulnerable phone and a spare SIM card that is PIN-locked. All that is required is to replace the spare SIM card, enter the wrong code for the SIM card three times, and finally enter the PUK code (usually found on the wallet-sized card the SIM card came from). And with these simple steps, the lock screen will disappear. David demonstrates the process in the video below.
How it works
Details of how this vulnerability occurs are spelled out in more detail in David Schütz’s blog post – but to put it simply, the problem comes from the way Android implements the lock screen, or more precisely, the narrow category of security screens that includes standard lock screens and PUK code entry screen . When a security screen should appear, such as after booting or turning the screen off and on again, Android stacks it on top and does not allow the user to dismiss it without passing the conditions (eg a valid fingerprint or password). When the conditions are met, the system sends a signal to dismiss the security screen at the top of this stack and return to any remaining security screens, or to an app or home screen if there are no other security screens on the stack.
The unconventional issue that leads to this vulnerability is caused by a system service that listens for changes in the status of the SIM card. When the PUK code is accepted and the PIN code is reset on the SIM card, the SIM card becomes active and a system service cancels by closing the PUK security screen and returning the regular lock screen to the top of the stack. However, when the operating system finished processing the results of the PUK security screen, it still sent a message to reject a security screen. Since only one security screen remained, the regular lock screen, the system accidentally rejected it and gave the user full access to the device.
What is affected?
There are some caveats with this bypass, most notably that it is only fully effective on a device that has been unlocked since the last time it booted up. If it has not been unlocked, it is still possible to bypass the lock screen, but private data and most configuration settings will be inaccessible, which usually results in most of the software on the phone not working until it is restarted. It is still unclear whether this bypass will work on devices with Advanced Protection Program (APP) enabled.
Furthermore, the hack was originally spotted on a Pixel phone, but the bug lives on in the code available in the Android Open Source Project (AOSP). As a result, any device running software based on this code may also be vulnerable. Some people have already reported that devices running Lineage are vulnerable
and probably GrapheneOS as well. However, some reports indicate that newer Samsung devices are not.
UPDATE: 2022/11/11 21:10 EST BY CODY TOOMBS
GrapheneOS is reportedly already updated
A member of the GrapheneOS team has reached out to confirm that the latest update has been deployed and released as part of an update released on November 8, 2022.
Google has published a bug fix
Google’s solution for this error is quite simple. Instead of enforcing the behavior of the SIM activation system service, which could leave room for other errors, the Android team extended the broadcast message to require a new parameter specifying the type of security screen to reject. In doing so, there should be no risk of accidentally removing the wrong type of screen from the stack.
This vulnerability is formally registered under the name CVE-2022-20465. Google has published the fixes in the Android 13 branch on AOSP, but was also reverted to the Android 10, 11 and 12 branches.
Google generally communicates warnings about vulnerabilities to its hardware partners ahead of public releases, so it’s likely that most manufacturers will roll out security updates in the near future to devices that may be vulnerable.
$70,000 bug bounty reward
For reporting the problem, Google paid David $70,000 USD as part of its Bug Bounty program, which has paid out millions over the years. Unfortunately, the process did not go as smoothly as it probably should have. Per David’s retelling of events, he attempted to report the issue about five months ago, when Google claimed it was a dupe and ineligible for a reward. Months later, after demonstrating the problem to some Google employees and then following up with a deadline for public disclosure, it was finally fixed and resolved.
This situation highlights the need for regular, long-term security updates for phones that are likely still in use. Naturally, anyone with a potentially vulnerable phone should install the latest security updates when they become available. In the meantime, it’s not a viable strategy for regular use, but restarting a phone without unlocking it should prevent people from accessing your private data.