A researcher and bug hunter has found a simple way to bypass any lock screen of a fully patched Android.
David Schütz (@xdavidhu), the researcher, wasn’t even bug hunting at the time. He found the bypass by accident.
How he found the flaw
Schütz owns up-to-date Google Pixel 5 and 6 smartphones.
Coming home from a 24-hour trip, his Pixel 6 ran out of power. Once plugged in, he couldn’t remember the device’s PIN, so he made three wrong guesses. This caused the SIM card to lock itself. A PUK (Personal Unblocking Key) code was then needed to unlock the SIM.
After entering the PUK, the SIM unlocked, and the device asked for a new PIN, skipping the part where he’s supposed to enter his lock screen password first before asking for a fingerprint scan.
“It was a fresh boot, and instead of the usual lock icon, the fingerprint icon was showing,” Schütz said. “It accepted my finger, which should not happen, since after a reboot, you must enter the lock screen PIN or password at least once to decrypt the device.”
“After accepting my finger, it got stuck on a weird ‘Pixel is starting…’ message, and stayed there until I rebooted it again.”
Schütz posted a PoC (proof-of-concept) video on YouTube of the bypass, which you can watch below:
Bypass details
The bypass is tracked as CVE-2022-20465, a high-severity Android flaw that could lead to privilege escalation. That means that anyone with physical access to an affected phone could fully control it.
Schütz said the flaw seemingly affects all Google Pixel devices but could also affect other Android devices. The vulnerable versions are 10, 11,12, and 13.
Google already knew of this vulnerability before July 2022, when Schütz first reported the bug to the company, but only provided a patch this November.
Note that this flaw can only be exploited (in this case) if the attacker has physical access to an Android device.
Looking at potential scenarios where such an attack can be carried out, abusive partners could compromise a phone this way in order to install stalkerware, law enforcement could have devices of persons of interest spied on, or device thieves could easily steal an Android without worrying about not being able to access and use it personally.
Do you need to update your Android device?
Google advises users of Android 10, 11, 12, and 13 to apply the 2022-11-05 security patch.
To check if your device needs this patch, find out what version of Android is installed on your device first. You can do this by going to your device’s Settings app, tapping the About phone section near the bottom, and then Android version. (Other device manufacturers may store this information in another section). Your device should provide you a list of information about your OS, including “Android version”, “Build number”, and “Android security patch level” (or “Android security update”, depending on your manufacturer.
Do you have the latest Android update?
Lastly, to ensure your Android device is running on the latest update available to its version, go to Settings > System update (or Software update, depending on your manufacturer). You should be able to see your update status. If there’s a pending update, follow the steps on the screen.
We don’t just report on threats—we remove them
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
