Google was able to resolve a critical security flaw that affected all Pixel Smartphones. The aforementioned bug will allow hackers to bypass the lock screen security on any Pixel phone.
The bug was reported by security researcher David Schütz and was tracked as CVE-2022-20465. David Schütz stated on his Write-up that:
“The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device,”
According to the researcher/hacker, the flaw may be duplicated by following the steps he provided:
- Supply incorrect fingerprint three times to disable biometric authentication on the locked device
- Hot swap the SIM card in the device with an attacker-controlled SIM that has a PIN code set up
- Enter incorrect SIM pin thrice when prompted, locking the SIM card
- Device prompts user to enter the SIM’s Personal Unlocking Key (PUK) code, a unique 8-digit number to unblock the SIM card
- Enter a new PIN code for the attacker-controlled SIM
- Device automatically unlocks
“The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,” Schütz added.
Google has corrected the flaw and revealed that the cause of the bug is an “incorrect system state,” as it would incorrectly interpret the SIM change event, leading it to completely dismiss the lock screen.