In brief A security researcher whose Google Pixel battery died while sending a text message is probably thankful for the interruption. The reboot led to a discovery that earned him a $70,000 bounty from Google for a lock screen bypass bug.
Now patched, the vulnerability would allow anyone with a spare SIM card and access to a device to completely bypass the lock screen, giving them unfettered access to the device.
Hungarian security researcher David Schütz said in a blog post that he made the discovery when he turned on his Pixel 6 and forgot his SIM card’s PIN, forcing him to dig up the personal unlock key, or PUK, that allowed him to reset the PIN. After a reboot, his phone repeatedly stuck on the “Pixel is busy” screen.
Schütz tried to replicate the problem, but on one occasion he forgot to reboot the phone. “As I did before, I entered the PUK code and chose a new PIN. This time the phone faltered and I was on my personal home screen,” Schütz said.
After a few more tries, Schütz said he was confident he had a “full lock screen bypass,” on the fully patched [at the time] Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too.”
The problem stemmed from Android calling a .dismiss() function every time the SIM PUK was reset. Schütz said what Android seems to have done was to close the screen requesting to reset the PUK, when that request was accidentally not sent until the PUK reset screen had already disappeared. Since the active security layer underneath was all that remained, Android rejected it without realizing the flaw.
Schütz said Google quickly flagged the issue when he filed it, but then went quiet for several months. After asking for a follow up, he was told the problem was a duplicate. Google later admitted that even though its bug was a duplicate, the company took action just because of its report and fixed it in the November 5 security update for Android.
Because it’s a duplicate, Google couldn’t award the full $100,000 that a bug of that severity deserved, but the company decided to give it $70,000 for pushing it to action.
Phishing gang Royal takes it up a notch
A threat actor known to Microsoft as DEV-0569 has reportedly stepped up its game from phishing and spam emails to using more dangerous tactics, possibly even selling access to ransomware operators trying to deliver a new strain of ransomware known as Royal.
DEV-0569 shows a continuous pattern of innovation, Microsoft said, making this latest pivot just one in a long line of tactics the group has adopted and payloads it has deployed.
Recent tactics that Microsoft has noticed include using contact forms on targeted websites to deliver phishing links, hosting bogus installation files on bogus download sites and legitimate repositories, and extending malvertising activity to Google ads,” effectively blend in with normal ad traffic,” Microsoft said.
Regarding the deployment of the Royal ransomware, Microsoft said instances of DEV-0569’s infection chains “ultimately enabled human-operated ransomware attacks that spread Royal,” but the company isn’t outright saying that DEV-0569 is behind the attacks.
The group will likely continue to rely on phishing and malvertising. Microsoft recommends protecting systems accordingly; e.g. updating systems, blocking certain web traffic, etc.
Another Booz Allen employee was caught smuggling data
Booz Allen Hamilton Holding Corporation, former employer of ex-NSA contractor and Russian citizen Edward Snowden, has told his employees that before he left the company, one of their colleagues made off with a copy of a report containing their personally identifiable information .
A lot of it.
“Based on our review, personal information has been released including: your name, social security number, compensation, gender, race, ethnicity, date of birth and eligibility and status for U.S. government security clearance as of March 29, 2021,” the company said. said in a form letter [PDF] it sent to employees.
The company does not believe the employee intended to misuse the data and believes the threat to its employees is low. Nevertheless, Booz Allen offers two years of Equifax employee credit monitoring, just in case.
As you may recall, Booz Allen was Edward Snowden’s employer when he leaked details of NSA spy operations to the press in 2013. caught with secret documents he smuggled home from the intelligence service.
This may also be a good time for Booz Allen to consider changes to the hiring process. ®