Cybersecurity researcher David Schutz by accident stumbled upon a vulnerability that may permit anybody to bypass the lock display on an Android smartphone. According to Schutz, an attacker solely wants a SIM card and entry to the machine to bypass the lock display.
“I found a vulnerability affecting all Google Pixel phones, where if you gave me any locked Pixel device, I could unlock it back to you,” Schutz wrote in a weblog publish documenting the vulnerability. Schutz mentioned that Google has patched the vulnerability in a safety replace launched on November 5, 2022.
I discovered a vulnerability that allowed me to unlock anybody @Google Pixel telephone with out figuring out passcode. This would be the most spectacular bug I’ve ever encountered.
Google mounted this challenge within the November 5, 2022 safety patch. Update your units!https://t.co/LUwSvEMF3w
— David Schutz (@xdavidhu) November 10, 2022
Finding Something Wrong With Android
Schutz found the vulnerability when his telephone’s battery died in the future. At that time, he linked the machine’s charger and booted the telephone. Once he did this, he was requested to enter the safety pin for the SIM card current within the telephone. Since he didn’t bear in mind it appropriately at the moment, he entered the mistaken PIN thrice.
At this level, the SIM card grew to become locked and Schutz needed to enter the SIM’s PUK code to unlock it. After getting into the PUK code, the telephone requested him to enter a brand new PIN. After doing so, he observed one thing unusual. The telephone was displaying the fingerprint icon, which shouldn’t have been there.
Normally, after the telephone reboots, it is not going to initially settle for fingerprint unlocking until the machine’s PIN code or password has been entered at the least as soon as. But the telephone accepted Schutz’s fingerprint, after which it was caught on a display till he rebooted it once more.
vulnerability discovery
Schutz tried repeating the method with out rebooting the telephone. He eliminated the SIM tray of the telephone whereas it was nonetheless on and reinserted the tray. He entered the PIN incorrectly thrice, then entered the PUK and set a brand new PIN. At this level, the telephone took her to the unlocked house display, though the machine was beforehand locked.
Schutz then repeated this course of a number of instances and bought the identical outcome every time – the telephone unlocked regardless of not getting into a password or utilizing his fingerprint. According to Schutz, he initially reported the vulnerability to Google in June of this 12 months, nevertheless it was solely mounted in a safety patch launched on November 5.
With inputs from TheIndianEXPRESS
