Vulnerability that unlocks Google Pixel by disabling fingerprint authentication, PIN, etc.

It was reported that Google Pixel had a vulnerability that allowed access to internal data by bypassing all PINs and fingerprint authentication that lock the terminal. This bug was just fixed in a security update delivered on November 5, 2022.

Accidental $70k Google Pixel Lock Screen Bypass -

Security researcher David Schutz discovered the bug more than five months before it was fixed. A security update fixes a bug that could allow malicious attackers to unlock your device. Although unlocking requires a 'PUK code' to unlock the SIM card, the procedure was very simple.

The reason Schutz discovered this bug was that he happened to forget the PIN code for his Pixel 6. After restarting the terminal, the terminal was locked because the code was mistaken many times, so when the PUK code written on the SIM card mount was entered, the following screen was displayed. There is an icon to accept fingerprint authentication on the screen, but normally it does not accept fingerprint authentication immediately after restarting, so you can see that it is an abnormal behavior.

When fingerprint authentication is performed in this state, a strange message 'Pixel is starting ...' is displayed this time, and it seems that it remained as it was until restarting.

As a result of repeated verification several times, he said that he succeeded in establishing a procedure that can unlock the terminal as long as there is a PUK code, without needing anything special. Mr. Schutz immediately reported it to Google, and after 37 minutes Google acknowledged it as a bug. Since then, however, the quality and frequency of responses has declined.

Although this problem is considered to be a serious bug that requires urgency, it is said that there was no report from Google for a month. Furthermore, since there was no progress even after nearly three months had passed since the report, Mr. Schutz seems to have conducted a demonstration experiment at a Google event that he was participating in at that time.

Still, the patch was not distributed, and Mr. Schutz's sense of crisis only increased. Finally, on November 5th, five months after the report, a patch containing a response to the vulnerability 'CVE-2022-20465' was finally released.

According to Mr. Schutz, who analyzed the problem by looking at the official patch, Android has the concept of 'security screen', and there are multiple screens such as 'PIN input screen', 'fingerprint authentication screen', 'password input screen', and 'PUK input screen'. lock screens can now be stacked on top of each other. These can be stacked on top of each other, but after a certain procedure, a conflict occurred and a screen that should not have been called was displayed, allowing the device to be unlocked.

in Mobile,   Software,   Security, Posted by log1p_kr