Google Pixel Phones Are Vulnerable To An Easy Lock-Screen Bypass Hack, Update Now
Google issues monthly security patches for its Pixel phones and to other Android devices via the Android Open Source Project. Each of these patches includes important fixes to protect end users from emerging threats or disclosed flaws. November’s security update is particularly important for Pixel owners as it addresses a relatively low-skill bypass of the user’s lock screen.
Security researcher David Schütz stumbled upon the full lock screen bypass almost on accident. Over on his blog, he recounts how upon returning home after traveling he was faced with a dying-then-dead battery and a series of text messages he still needed to send.
After finding the charger and booting the phone back up, it prompted for the SIM’s PIN code. Perhaps due to a travel-addled brain, he says he could not remember it and ended up failing to enter it correctly three times. At this point, the phone prompted for the SIM’s PUK code to unlock and continue. This is typically included on a SIM card’s packaging (you did save yours, right?). This process asked him to set a new PIN, which he did, but then noticed after a reboot he was able to unlock the phone with just his fingerprint—typically a PIN or password is needed at this point.
Combined with some other oddities, Schütz decided to revisit the experience after getting some rest. After a few cycles to try retracing his steps, he discovered a sequence of actions that would allow for the lock screen bypass once he unintentionally left out a reboot.
In the video above, Schütz demonstrates the process. Starting with a locked Pixel phone, he enters an incorrect fingerprint multiple times until it disables biometric authentication and requires a PIN. At this point he removes the SIM card from the device (while it is still powered on) and replaces it with a second SIM intended to be the hacker’s own. This initially prompts for the new SIM’s PIN but upon failing that three times, it instead prompts for the PUK code. As the attacker would know this new PUK, he enters it and the phone immediately unlocks after setting a new PIN, providing full access.
On the one hand, this attack vector requires physical access to a device, but on the other hand he notes that this is exactly the sort of bypass the FBI has pressed companies like Apple for. Schütz reported his findings to Google. The disclosure process was apparently lengthy, and not particularly communicative, with Google at one point flagging the issue as a duplicate report—thus ineligible for payout. After taking an opportunity to directly demonstrate the exploit to some engineers, Google has finally issued a patch as part of the November 2022 security update.
The patch addresses the issue by no longer dismissing the device lockscreen once the SIM PUK unlock is completed. While the fix sounds simple enough, Schütz continues to explain that Android engineers decided to refactor the
.dismiss()function responsible for closing security screens. The original implementation allowed for unrelated security screens to dismissed by mistake, e.g. the phone’s lock screen layered below the PUK screen. To dramatically simplify things, the
.dismiss()function now adds a parameter for context of which security screen it should be dismissing.
For his troubles, the discovery netted Schütz a $70,000 payday. Google ended up reverting its decision to not reward it as a duplicate by acknowledging that his persistence is what caused the company to actually work on the fix. Either way, it seems all has been made right, and end users are now better protected—as long as they install the latest patch, of course!
All Images Credit: David Schütz