Right on schedule, Google released its November security update for Pixel phones — and looking at the short list of user-facing changes, it looks like this is nothing more than a routine release to address a few bugs, including solutions to reduce power consumption, screen flickering and occasional app crash. However, this update also fixes a pretty serious vulnerability that allows a person to bypass the lockscreen of many Android phones in less than a minute without any software or special tools.
This method of bypassing the lockscreen was discovered by: David Schutz. The surprisingly simple process only requires physical access to a fragile phone and an extra SIM card locked with a PIN. All it takes is to exchange the extra SIM card, enter an incorrect SIM code three times and finally enter the PUK code (usually found on the wallet-sized card the SIM card comes from). And with those simple steps, the lock screen will disappear. David demonstrates the process in the video below.
How it works
Details on how this vulnerability occurs are described in more detail in David Schütz’s blog post – but to oversimplify it, the problem stems from the way Android implements the lockscreen, or rather, the limited category of security screens that the default lockscreens contain. and PUK code input screen. When a security screen needs to be displayed, such as after booting or powering off and on, Android stacks it on top of it and the user cannot close it without fulfilling the conditions (e.g. a valid fingerprint or passcode). Once the conditions are met, the system sends out a signal to close the security screen at the top of this stack and return to any remaining security screens, or to an app or home screen if there are no other security screens on the stack.
The unconventional issue leading to this vulnerability is caused by a system service listening for changes in the status of the SIM card. Once the PUK code is accepted and the PIN on the SIM card is reset, the SIM card will become active and a system service will be interrupted by closing the PUK security screen and returning the normal lock screen to the top of the stack. However, when the operating system finished processing the results of the PUK security screen, it still sent a message to close a security screen. Since there was only one security screen left, the normal lock screen, the system accidentally closed it and gave the user full access to the device.
What is affected?
There are some caveats to this bypass, most notably that it’s only fully effective on a device that’s been unlocked since it was last booted. If it’s not unlocked, it’s still possible to get around the lock screen, but private data and most configuration settings won’t be accessible, which usually results in most software on the phone not working properly until it’s rebooted. It is still unclear whether this bypass will work on devices with the Advanced Protection Program (APP) enabled.
Furthermore, the hack was initially discovered on a Pixel phone, but the bug is in the code available in the Android Open Source Project (AOSP). As a result, devices running software based on this code may also be vulnerable. Some people have already reported that Lineage-powered devices are vulnerable, and probably GrapheneOS as well. However, some reports indicate that recent Samsung devices are not.
Google published a bug fix
Google’s solution to this bug is quite simple. Instead of improving the behavior of the SIM activation system service, which can leave room for other bugs, the Android team has expanded the broadcast message to require a new parameter that specifies the type of security screen to be rejected. There should be no risk of the wrong type of screen being accidentally removed from the stack.
This vulnerability is formally registered as CVE-2022-20465. Google published the fixes in the Android 13 branch on AOSP, but were also rolled back to the Android 10, 11 and 12 branches.
Google generally communicates vulnerability warnings to its hardware partners ahead of public releases, so it’s likely that most manufacturers will roll out security updates to all devices that may be vulnerable in the near future.
$70,000 bug bounty reward
For reporting the issue, Google paid David $70,000 USD as part of its Bug Bounty program, which has paid out several million over the years. Unfortunately, the process didn’t go as smoothly as it should have been. According to David’s retelling of the events, he tried to report the issue about five months ago, when Google claimed it was a dupe and ineligible for a reward. Months later, after demonstrating the issue to a number of Google employees and then following a deadline for a public disclosure, it was finally patched and fixed.
This situation demonstrates the need for regular, long-term security updates for phones that are likely still in use. Of course, anyone with a potentially vulnerable phone should install the latest security updates as soon as they become available. In the meantime, it’s not a viable strategy for regular use, but restarting a phone without unlocking it should prevent people from accessing your private data.