LEFT SIDEBAR AD

Hidden in mobile, Best for skyscrapers.

Google Pixel screen-lock hack earns researcher $70k

1 year ago 106
BOOK THIS SPACE FOR AD
ARTICLE AD

Android security pwned by PUK reset trick

A security researcher earned a bug bounty payout for a Google Pixel lock screen bypass vulnerability

A security researcher scored a $70k bug bounty payout after accidentally discovering a Google Pixel lock-screen bypass hack.

The vulnerability, discovered by David Schütz, meant an attacker could unlock any Google Pixel phone without knowing the passcode. Google fixed the issue (tracked at CVE-2022-20465) with a November update, allowing Schütz to go public with his findings.

The vulnerability created a means for a potential hacker to bypass lock-screen protections such as fingerprint or PIN authentication and obtain physical access to a target device. The hack could be carried out with minimal technical skill against a range of mobile devices running Android, by following a series of steps.

Fortunately, the exploit is not something that would lend itself to remote exploitation.

Serendipity strikes

As explained in a blog post, Schütz came across the issue by chance when he forgot the PIN code of his Pixel phone and had to use the PUK code to regain access. After successfully completing the process, he noticed oddities in the lock screen he was confronted with.

“It was a fresh boot, and instead of the usual lock icon, the fingerprint icon was showing,” Schütz recalled. “It accepted my finger, which should not happen, since after a reboot, you must enter the lock screen PIN or password at least once to decrypt the device.”

After accepting his finger, the device crashed with a weird “Pixel is starting…” message, which Schütz addressed with a forced reboot.

RECOMMENDED GhostTouch: Hackers can reach your phone’s touchscreen without even touching it

Schütz decided to investigate the issue over subsequent days. On one occasion he forgot to reboot the phone, and just began from a normal unlocked state, locked the device, and hot-swapped the SIM tray, before carrying out the SIM PIN reset process.

After following this sequence before entering the PUK code and choosing a new PIN, Schütz was presented with his unlocked home screen.

The researcher realized that he had achieved a full lock screen bypass on the fully patched Pixel 6. The same trick worked on a Pixel 5.

Easy exploitation

Schütz realized the hack would be easily exploited by anyone, from spies to crooks and jealous spouses.

“Since the attacker could just bring his/her own PIN-locked SIM card, nothing other than physical access was required for exploitation. The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.”

Patch puzzlement

Schütz reported the issue to Google and the tech giant processed and filed the bug promptly, but remediation took far longer.

After telling Schütz the issue was a duplicate, and therefore not normally eligible for a bug bounty, Google failed to act for some weeks, before repeated chasing by Schütz and a demo of the exploit to Google staffers at a Google-run bug hunter event called ESCAL8 in September prompted action.

Shortly after this, Google said that even though Schütz’s report was a duplicate, it had only started working on a fix because of his submission, so the firm had decided to pay him a $70,000 bounty for the lock screen bypass.

The bug was fixed on November 5, allowing Schütz to disclose his findings and a video demonstrating the flaw.

Catch up on the latest hardware-related security news and analysis

The researcher deduced from code changes that Android security screens can be stacked “on top” of each other.

“When the SIM PUK was reset successfully, a .dismiss() function was called by the PUK resetting component on the ‘security screen stack’, causing the device to dismiss the current one and show the security screen that was ‘under’ it in the stack,” he explained.

“Since the .dismiss() function simply dismissed the current security screen, it was vulnerable to race conditions” that meant that the PUK resetting component could dismiss a unrelated security screen, changed by a background process.

Google has changed the code, so it explicitly calls the type of security screen to be dismissed.

The Daily Swig invited Google to comment, and asked Schütz follow-up questions about his experience in bug bounty hunting and mobile security. No word back as yet, but we’ll update this story as and when more information comes to hand.

YOU MAY ALSO LIKE Boffins rekindle one-time program cryptographic concept

Read Entire Article
  3. Google Pixel screen-lock hack earns researcher $70k

Related

We’re going teetotal: It’s goodbye to The Daily Swig

We’re going teetotal: It’s goodbye to The Daily Swig

Bug Bounty Radar // The latest bug bounty programs for March 2023

Bug Bounty Radar // The latest bug bounty programs for March 2023

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Indian transport ministry flaws potentially allowed creation of counterfeit driving licenses

Password managers: A rough guide to enterprise secret platforms

Password managers: A rough guide to enterprise secret platforms

Chromium bug allowed SameSite cookie bypass on Android devices

Chromium bug allowed SameSite cookie bypass on Android devices

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Trending

1. Deadpool
2. Taiwan earthquakes
3. Serie A
4. Reliance
5. Iranian President Ebrahim Raisi
6. Yuzvendra Chahal
7. Trent Boult
8. Hanuman Jayanti 2024 Date
9. Hanuman Jayanti 2024
10. Allu Arjun

Popular

1-click RCE in Electron Applications

1-click RCE in Electron Applications

Install waybackurls on Kali Linux

Install waybackurls on Kali Linux

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Over 40 Apps With More Than 100 Million Installs Found Leaking AWS Keys

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Microsoft Office Professional Plus 2019 (x64 & x86) Multilingual + Pre-Activated

Install DalFox on Kali Linux

Install DalFox on Kali Linux

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

Adobe Master Collection CC 2022 v25.08.2022 (x64) Multilingual Pre-Activated

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

‘We are not motivated by profits’ – Open Bug Bounty maintainers on finding a niche in the crowdsourced AppSec market

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Maxon CINEMA 4D Studio S22.123 (x64) Multilingual + Crack

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

Just Gopher It: Escalating a Blind SSRF to RCE for $15k

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

SketchUp Pro 2020 v20.2.172 (x64) Multilingual + Patch

BOOK THIS SPACE FOR AD
RIGHT SIDEBAR BOTTOM AD
Bengali (Bangladesh) Bengali (Bangladesh) · English (United States) English (United States) ·
About Us · Terms & Condition · Contact Us
© Security Alert 2024. All rights are reserved