A simple Android lock screen bypass bug landed a researcher $70,000 - TechCrunch

Google has paid retired $70,000 to a information researcher for privately reporting an “accidental” information bug that allowed anyone to unlock Google Pixel phones without knowing its passcode.

The fastener surface bypass bug, tracked arsenic CVE-2022-20465, is described arsenic a section escalation of privilege bug due to the fact that it allows someone, with the instrumentality successful their hand, to entree the device’s information without having to participate the fastener screen’s passcode.

Hungary-based researcher David Schütz said the bug was remarkably elemental to exploit but took Google astir 5 months to fix.

Schütz discovered anyone with carnal entree to a Google Pixel telephone could swap successful their ain SIM paper and participate its preset betterment codification to bypass the Android’s operating system’s fastener surface protections. In a blog post astir the bug, published present that the bug is fixed, Schütz described however helium recovered the bug accidentally, and reported it to Google’s Android team.

Android fastener screens fto users acceptable a numerical passcode, password, oregon a signifier to support their phone’s data, oregon these days a fingerprint oregon look print. Your phone’s SIM paper mightiness besides person a abstracted PIN codification acceptable to artifact a thief from ejecting and physically stealing your telephone number. But SIM cards person an further idiosyncratic unlocking code, oregon PUK, to reset the SIM paper if the idiosyncratic incorrectly enters the PIN codification much than 3 times. PUK codes are reasonably casual for instrumentality owners to obtain, often printed connected the SIM paper packaging oregon straight from the compartment carrier’s lawsuit service.

Schütz recovered that the bug meant that entering a SIM card’s PUK codification was capable to instrumentality his fully-patched Pixel 6 phone, and his older Pixel 5, into unlocking his telephone and data, without ever visually displaying the fastener screen. He warned that different Android devices mightiness besides beryllium vulnerable.

Since a malicious histrion could bring their ain SIM paper and its corresponding PUK code, lone carnal entree to the telephone is required, helium said. “The attacker could conscionable swap the SIM successful the victim’s device, and execute the exploit with a SIM paper that had a PIN fastener and for which the attacker knew the close PUK code,” said Schütz.

Google tin wage information researchers up to $100,000 for privately reporting bugs that could let idiosyncratic to bypass the fastener screen, since a palmy exploit would let entree to a device’s data. The bug bounty rewards are precocious successful portion to vie with efforts by companies similar Cellebrite and Grayshift, which trust connected bundle exploits to physique and merchantability telephone cracking exertion to instrumentality enforcement agencies. In this case, Google paid Schütz a lesser $70,000 bug bounty reward due to the fact that portion his bug was marked arsenic a duplicate, Google was incapable to reproduce — oregon hole — the bug reported earlier him.

Google fixed the Android bug successful a security update released connected November 5, 2022 for devices moving Android 10 done Android 13. You tin spot Schütz exploiting the bug successful his video below.