A vulnerability impacting “seemingly all” Google Pixel phones could reportedly have allowed unwanted entrants access to a locked Pixel device.
According to a blog post (opens in new tab) by cybersecurity researcher David Schütz, whose bug report convinced Google to take action, the bug was only patched for the Android phones in question following a November 5 2022 security update, around six months after filing his bug report.
The vulnerability, which is tracked as CVE-2022-20465 (opens in new tab)allowed an attacker with physical access to bypass the lock screen protections, such as fingerprint and PIN, and gain complete access to the user’s device.
How did the exploit work?
Schütz, who claimed that another researcher’s previous bug report flagging the issue was ignored, said that the exploit was simple and easily replicable.
It involved locking a SIM card by entering the wrong pin three times, re-inserting the SIM tray, resetting the PIN by entering the SIM card’s PUK code (which should come with the original packaging) and then choosing a new PIN.
Since the attacker could just bring their own PIN-locked SIM card, nothing other than physical access was required to execute the exploit, according to Schütz.
Would-be attackers could just swap such a SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.
To Google’s credit, despite the seriousness of the exploit Schütz claims that after he filed a report detailing the vulnerability, Google attended to the exploit within 37 minutes.
Although Schultz did not provide any evidence, he posited that other Android vendors may have been affected. This is certainly possible, as Android is an open source operating system.
This isn’t the first time a security researcher has unveiled serious security flaws within Android phones, either.
In April 2022, Check Point Research (opens in new tab) (CPR) unearthed a flaw which if left unpatched could potentially have rendered a large number of Android phones vulnerable to remote code execution, due to vulnerabilities that lay within the audio decoders of Qualcomm and MediaTek chips.