Cybersecurity researcher David Schütz accidentally found a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 smartphones, enabling anyone with physical access to the device to unlock it.
Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that wouldn’t take more than a few minutes.
Google has fixed the security issue on the latest Android update released last week, but it has remained available for exploitation for at least six months.
Schütz says he discovered the flaw by accident after his Pixel 6 ran out of battery, entered his PIN wrong three times, and recovered the locked SIM card using the PUK (Personal Unblocking Key) code.
To his surprise, after unlocking the SIM and selecting a new PIN, the device didn’t ask for the lock screen password but only requested a fingerprint scan.
Android devices always request a lock screen password or pattern upon reboot for security reasons, so going straight to fingerprint unlock wasn’t normal.
The researcher continued experimenting, and when he tried reproducing the flaw without rebooting the device and starting from an unlocked state, he figured it was possible to bypass the fingerprint prompt, too, going straight to the home screen.
The impact of this security vulnerability is quite broad, affecting all devices running Android versions 10, 11, 12, and 13 that haven’t updated to November 2022 patch level.
Physical access to a device is a strong prerequisite. However, the flaw still carries severe implications for people with abusive spouses, those under law enforcement investigations, owners of stolen devices, etc.
The attacker can simply use their own SIM card on the target device, disable biometric authentication (by trying out fingerprint unlock too many times), enter the wrong PIN three times, provide the PUK number, and access the victim’s device without restrictions.
The issue is caused by the keyguard being wrongfully dismissed after a SIM PUK unlock due to a conflict in the dismiss calls impacting the stack of security screens that run under the dialog.
When Schütz entered the correct PUK number, a “dismiss” function was called twice, once by a background component that monitors the SIM state, and once by the PUK component.
This caused not only the PUK security screen to be dismissed but also the next security screen in the stack, which is the keyguard, followed by whatever screen was next queued in the stack.
If there’s no other security screen, the user would directly access the home screen.
Google’s solution is to include a new parameter for the security method used in every “dismiss” call so that the calls dismiss specific types of security screens and not just the next one in the stack.
In the end, although Schütz’s report was a duplicate, Google made an exception and awarded the researcher $70,000 for his finding.
Users of Android 10, 11, 12, and 13 can patch this flaw by applying the November 7, 2022, security update.