Google Pixel Can be Unlocked via SIM Swap (Other Android Phones, Too)
A Hungarian researcher found a nasty Android security bug. If you insert a new SIM and type in the SIM’s personal unlocking key (PUK), the phone just dismisses the lock screen.
Upshot: Malicious people can unlock your phone, giving them access to everything. Google finally fixed it, after prevaricating for five months. The bug’s definitely in most Pixel devices—and probably in any phone that uses near-stock Android. Go get the November update!
CVE-2022-20465 is the vulnerability ID. In today’s SB Blogwatch, we search for the lost SIM eject tool.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Henry Dagg.
PUK Phun
What’s the craic? John Leyden jars us awake—“Screen-lock hack earns researcher $70k”:
“The bug was fixed on November 5”
The vulnerability, discovered by David Schütz, meant an attacker could unlock any Google Pixel phone without knowing the passcode. Google fixed the issue … allowing Schütz to go public with his findings.
…
On one occasion he … locked the device, and hot-swapped the SIM tray, before carrying out the SIM PIN reset process [and] was presented with his unlocked home screen. … He had achieved a full lock screen bypass. … Schütz realized the hack would be easily exploited by anyone, from spies to crooks and jealous spouses.
…
Fortunately, the exploit is not something that would lend itself to remote exploitation. … The bug was fixed on November 5, allowing Schütz to disclose his findings and a video demonstrating the flaw.
Is $70,000 a lot? Zack Whittaker calls it “a simple Android lock screen bypass bug”:
“Would allow access to a device’s data”
The lock screen bypass bug … is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device’s data without having to enter the lock screen’s passcode. … Hungary-based researcher David Schütz said the bug was remarkably simple to exploit but took Google about five months to fix.
…
Anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android’s operating system’s lock screen. … Google can pay security researchers up to $100,000 for privately reporting bugs that could allow someone to bypass the lock screen, since a successful exploit would allow access to a device’s data.
Horse’s mouth? David Schütz hints he was bribed not to disclose it—“Accidental $70k Google Pixel Lock Screen Bypass”:
“I’ll let you be the judge”
Google (more precisely the Android … Vulnerability Reward Program) … triaged & filed an internal bug within 37 minutes. … I checked the Android VRP reward table which states that if you report a lock screen bypass that would affect multiple or all [Pixel] devices, you can get a maximum of $100k bounty. [But] 31 days after reporting, I woke up to the automated email saying that “The Android Security Team believes that this is a duplicate of an issue previously reported,” … and will not pay.
…
Fast forward to September, three months after my report. … I put a disclosure deadline for October 15. [One month later] they said that even though my report was a duplicate … they decided to make an exception, and reward $70,000 for the lock screen bypass.
…
I decided to wait for the fix. … I’ll let you be the judge.
Sounds to me like he was stiffed out of $30K. hnburnsy agrees, wondering if Schütz schüld have gotten more: [You’re fired—Ed.]
[Google’s] Project Zero only gives vendors 7 or 90 days before disclosure. … Google should have given Mr. Schütz $200,000 alone for not revealing it.
Is that enough? hdyoung waxes cynical:
Bounties for serious bugs should be 10 times that. The effect on Google’s bottom line wouldnt even show up as pocket change, and they might actually make progress on security. … I suspect these bounty programs are mostly for PR purposes.
OK, OK … but can we talk about the actual vuln? btown has reviewed the deltas:
The bugfix is a bandage at best: The notion of anything accessing the “current” object after any kind of delay, especially in an event handler … is a recipe for disaster. In this case, dismissing the “current” security code screen was a supported API surface and that should set off all the red flags.
…
I sincerely hope that in the postmortem, there would be a larger … discussion around code review practices and how something like this … became part of the API surface to begin with, and a sincere prioritization of a larger review within the backlog. Though … I doubt that ends up happening.
But ThemePro alleges an allegation:
Sounds like an excellent exploit designed by Google to assist law enforcement.
Of course, a bug like this could never happen in iPhone, right? daneel_w disabuses thuswise:
Every once in a blue moon when I pick up my locked iPhone (which auto-locks in just 30 seconds) and engage the home button just as the screen comes alive from the gyro sensing movement, it unlocks on its own. It just flashes the PIN dialog and slides right onto the home screen.
…
No Apple watch, and it can happen without the phone being connected to anything Bluetooth/Wi-Fi. … I don’t use Touch ID, and never stored my print with it even once.
…
It’s been happening ever since iOS 11, with both my 1st gen. iPhone SE and my current iPhone 8. I reported it years ago but the report was ignored and closed.
Meanwhile, Tony Isaac snarks it up:
This bug couldn’t affect me. I never set a password!
And Finally:
Hat tip: plankton
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.
Image sauce: Google
