Anyone Can Unlock Your Android Without the Password - Lifehacker

Your phone’s fastener surface is expected to beryllium a safeguard against the satellite (and accidental unlocks successful your pocket). When it’s locked, your telephone can’t beryllium opened without either the passcode, a look scan, oregon a fingerprint. If you suffer your telephone oregon idiosyncratic snatches it from you, you tin remainder assured they won’t beryllium capable to bash thing with it. Except close present they can, acknowledgment to a recently discovered vulnerability allowing anyone to bypass an Android device’s fastener screen.

As reported by Bleeping Computer, cybersecurity researcher David Schütz discovered a mode to unlock some a Google Pixel 6 and Pixel 5 without needing to cognize the passcode. It happened aft his Pixel 6 ran retired of charge, and aft helium incorrectly entered his PIN incorrect 3 times. His SIM paper was past locked, truthful helium entered the PUK (Personal Unblocking Key) to reconstruct it.

However, erstwhile the SIM was recovered, the Pixel asked him to scan his fingerprint. That shouldn’t happen, since Pixels (as good arsenic astir phones) necessitate you to participate the passcode successful bid to unlock aft a reboot. You shouldn’t person the enactment to usage your fingerprint to unlock the telephone until aft 1 palmy unlock with the passcode.

From there, Schütz realized determination was a morganatic information flaw here. If an attacker inserts their ain SIM into a target’s Android, past enters the incorrect SIM PIN 3 times, they tin participate their SIM’s PUK to beryllium capable to make a caller SIM PIN. Once they do, they bypass the fastener surface wholly and entree the phone. You tin ticker the hypothetical onslaught play retired successful the video below:

Schütz brought this flaw to Google’s attraction backmost successful June of this year, but it took the institution 5 months to yet propulsion a patch. Still, it’s bully determination is a patch: It’s not wide however agelong this vulnerability was really floating around, perchance putting millions of Androids successful jeopardy.

How to hole the latest fastener surface information flaw connected Android

If you person a telephone moving Android 10, 11, 12, oregon 13, you request to instal the November 2022 information update successful bid to spot this vulnerability. If you already installed the patch, you’re bully to go! But otherwise, instal it ASAP.

To instal a information spot connected Android, caput to Settings > System > System Update, past let the OS to look for a caller update. If there’s 1 available, you tin download and instal it from here. You tin besides cheque for information updates from Settings > Security > Google Security checkup.