Security
Headlines
HeadlinesLatestCVEs

Headline

5 Easy Steps to Bypass Google Pixel Lock Screens

PIN-locked SIM card? No problem. It’s easy for an attacker to bypass the Google Pixel lock screen on unpatched devices.

DARKReading
#vulnerability#android#google#git

The November 2022 Android update includes a remediation for a bug that could allow an attacker to bypass the Google Pixel lock screen.

The researcher behind the discovery, David Schütz, reported the Google Pixel security flaw back in June after a series of errors led him to finding the vulnerability. He had forgotten his PIN after his device ran out of battery and died. After reboot, Schütz entered an incorrect PIN number three times, triggering the SIM card to lock itself.

Luckily, he explained in a blog post this week, he had the original SIM packaging with the factory personal unlocking key (PUK) code to open the SIM card. From there he was able to gain access to the device without ever entering the correct PIN.

“After I calmed down a little bit, I realized that indeed, this is a got d*mn full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too,” he wrote.

The Google Pixel lock screen bypass vulnerability is tracked under CVE-2022-20465. Here are the bypass steps, according to Schütz:

  1. Enter the wrong PIN three times.
  2. Hot-swap the device SIM for an attacker-controlled SIM with known PIN code.
  3. Enter the new SIM’s eight-digit PUK code.
  4. Enter the new device PIN.
  5. Presto! The device unlocks.

For his efforts, Schütz said he was awarded a $70,000 bug bounty, along with bragging rights.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Related news

CVE-2022-41591: December

The backup module has a path traversal vulnerability. Successful exploitation of this vulnerability causes unauthorized access to other system files.

Threat Source newsletter (Nov. 17, 2022): Hot off the press! The Snort 2023 Calendar is here

The Snort 2023 calendar is finally here, and y’all, it’s a good one. Packed full of classic memes and punny Snorties, the calendar is sure to delight all year long.

Hacker Rewarded $70,000 for Finding Way to Bypass Google Pixel Phones' Lock Screens

Google has resolved a high-severity security issue affecting all Pixel smartphones that could be trivially exploited to unlock the devices. The vulnerability, tracked as CVE-2022-20465 and reported by security researcher David Schütz in June 2022, was remediated as part of the search giant's monthly Android update for November 2022. "The issue allowed an attacker with physical access to bypass

CVE-2021-1050: Android Security Bulletin—November 2022  |  Android Open Source Project

In MMU_UnmapPages of the PowerVR kernel driver, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android SoCAndroid ID: A-243825200

DARKReading: Latest News

Iranian APT Group Targets IP Cameras, Extends Attacks Beyond Israel