A vulnerability affecting “seemingly all” Google Pixel phones could reportedly allow unwanted users to access a locked Pixel device.
According blog post (opens in a new tab) by cybersecurity researcher David Schütz, whose bug report convinced Google to take action, the bug was only patched for the Android phones in question after the November 5, 2022 security update, about six months after the bug was filed.
The vulnerability that is tracked as CVE-2022-20465 (opens in a new tab)allowed an attacker with physical access to bypass lock screen security features such as fingerprint and PIN and gain full access to the user’s device.
How did the exploit work?
Schütz, who claimed another researcher’s previous bug report reporting the problem had been ignored, said the exploit was simple and easy to replicate.
This involved locking the SIM card by entering the wrong PIN code three times, reinserting the SIM tray, resetting the PIN code by entering the PUK code of the SIM card (which should be in the original packaging) and then selecting a new PIN code.
Since an attacker could simply bring their own PIN-locked SIM card, nothing other than physical access was required to execute the exploit, according to Schütz.
Potential attackers could simply replace such a SIM card in the victim’s device and perform the exploit with a PIN-locked SIM card for which the attacker knew the correct PUK code.
To Google’s credit, despite the severity of the exploit, Schütz claims that after submitting a report detailing the vulnerability, Google tackled the exploit within 37 minutes.
While Schultz did not provide any evidence, he stated that other Android vendors may have been affected. This is certainly possible as Android is an open source operating system.
This isn’t the first time a security researcher has revealed serious vulnerabilities in Android phones.
In April 2022, Check Point Research (opens in a new tab) (CPR) discovered a vulnerability that, if not fixed, could potentially expose a large number of Android phones to remote code execution, due to vulnerabilities in audio decoders of Qualcomm and MediaTek chips.