When we block our Android mobile phone , what we hope is that this state is precisely a protection against other users who access our terminal, but cannot use it if they do not know the corresponding pattern or PIN.
Well, that theory has not been the practice in some phones of the Google operating system, since a bug allows anyone to bypass the lock screen of an Android device.
Anyone could unlock your Android
Cybersecurity researcher David Schütz is the author of the discovery of this vulnerability. It was able to unlock both the Google Pixel 6 and the Google Pixel 5 without needing to know the unlock code.
To do this, in a fresh start, after his Pixel 6 ran out of charge, he incorrectly entered the PIN code three times, which we know causes the mobile to lock and the PUK code to be needed to enter the device .
After unlocking the SIM card and selecting a new PIN, the device did not ask for the lock screen password , but only asked for a fingerprint scan. As you know, you should not have the option to use your fingerprint to unlock the phone until after a successful unlock with the passcode.
Affects millions of Android
Google fixed the security issue in the latest Android update released last week, but it’s been out for at least six months. However, the impact of this security vulnerability is quite broad, affecting all devices running Android versions 10, 11, 12, and 13 that have not been updated to the November 2022 patch level. Manufacturers with layers on Android do not always update to the security patch immediately, so some of them will still be vulnerable for a few weeks.
Even though it requires physical access to the device and therefore saves us from possible remote attacks, this flaw can still cause huge privacy issues. For example, in the case of stolen mobiles, the attacker can simply use their own SIM card in the target device, enter the wrong PIN three times, provide the PUK number, and gain unrestricted access to the victim’s device .
Schütz reported the bug to Google in June 2022. Already then the tech giant recognized the bug and assigned it a CVE (Common Vulnerabilities and Exposures) code, CVE-2022-20465 , but they didn’t publish a fix until November 7, 2022. 2022. For his findings, Schütz has been awarded $70,000 for his find , which gives an idea of the importance of fixing this vulnerability as soon as possible.
