Mobile phones, 15.11.2022, 12:30 PM
Cyber security researcher David Šuc discovered a way by accident to bypass the lock screen protection on the fully updated Google Pixel 6 and Pixel 5 smartphones, meaning anyone with physical access to the device could unlock it.
Exploiting a vulnerability that allows an attacker with physical access to the phone to bypass Android phones’ lock screen protections (fingerprint, PIN, etc.) and gain full access to the device is a simple five-step process that takes no more than a few minutes.
Schutz says he discovered the bug by accident after his Pixel 6 ran out of battery, after which he put the phone on the charger and turned it on. After he entered the wrong PIN code three times, the SIM card locked, so he had to use the PUK (personal unblocking key) code, after which the device asked him to set a new PIN.
To his surprise, after unlocking the SIM and selecting a new PIN, the device did not ask for a lock screen password, but only asked for a fingerprint scan.
Android devices always require a password or PIN to unlock the screen after a reboot for security reasons, so going straight to fingerprint unlocking was unexpected.
Schutz continued to experiment, and when he tried to reproduce the bug without restarting the device, he concluded that it was possible to go straight to the home screen (and bypass the fingerprint), if the device was unlocked by the owner at least once after a reboot.
This bug affects all devices running Android versions 10, 11, 12 and 13, which have not been updated in November 2022.
This security issue could have serious implications for those with abusive partners, owners of stolen devices, people under investigation, etc.
An attacker can simply use his own SIM card on the device, enter the wrong PIN three times, enter the PUK code and access the victim’s device without restrictions.
Schutz reported the bug to Google in June 2022, but although the tech giant acknowledged the bug, a fix wasn’t released until November 5.
Google awarded Schutz $70,000 for his discovery.
Android 10, 11, 12, and 13 users can fix this bug by applying the November 5, 2022 security update.