For privately reporting an “accidental” Android lock screen bypass bug that enabled others to unlock Google Pixel phones without having the passcode, Google has paid a security researcher $70,000. The lock screen bypass bug, recorded as CVE-2022-20465, is referred to as a local escalation of privilege bug because it enables unauthorized access to the device’s data while the device is still in the user’s hand.
David Schütz, a researcher based in Hungary, found that anyone with direct access to a Google Pixel phone could switch in their own SIM card and enter the device’s pre-programmed recovery code to get around the lock screen security measures of the Android operating system. After the bug was fixed, Schütz wrote a blog post about it in which he explained how he discovered the lock screen bypass bug and revealed it to Google’s Android team.
Users of Android devices can set a password, pattern, fingerprint, or face print in addition to a numeric passcode or password. Additionally, the SIM card in your phone may be protected by a unique PIN code that prevents someone from physically removing it and misusing your phone number. However, if a user enters the PIN code incorrectly more than three times, the SIM card has an extra personal unlocking code, or PUK, to reset the SIM card. To trick a fully patched Pixel 6 phone and his older Pixel 5 into unlocking a phone and data without ever graphically showcasing the lock screen, Schütz discovered that the bug required entering a SIM card’s PUK code.
Since a malicious actor could bring their own SIM card and its corresponding PUK code, only physical access to the phone is required, said Schütz. “The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,” he added.
Since a successful exploit could give someone access to a device’s data, Google rewards security researchers up to $100,000 for finding lock screen bypass bugs. In this instance, Google gave Schütz a relatively lesser $70,000 bug bounty reward because his bug was flagged as a duplicate but still Google was unable to resolve the bug that had been reported earlier.
On November 5, 2022, Google provided a security update for Android 10 through Android 13-powered devices that ultimately resolved the Android lock screen bypass bug.