The November 2022 Android replace features a remediation for a bug that might enable an attacker to bypass the Google Pixel lock display.
The researcher behind the invention, David Schütz, reported the Google Pixel safety flaw again in June after a sequence of errors led him to discovering the vulnerability. He had forgotten his PIN after his machine ran out of battery and died. After reboot, Schütz entered an incorrect PIN quantity 3 times, triggering the SIM card to lock itself.
Fortunately, he defined in a weblog submit this week, he had the unique SIM packaging with the manufacturing facility private unlocking key (PUK) code to open the SIM card. From there he was capable of acquire entry to the machine with out ever getting into the proper PIN.
“After I calmed down a little bit bit, I spotted that certainly, it is a received d*mn full lock display bypass, on the totally patched Pixel 6. I received my previous Pixel 5 and tried to breed the bug there as properly. It labored too,” he wrote.
The Google Pixel lock display bypass vulnerability is tracked underneath CVE-2022-20465. Listed below are the bypass steps, in line with Schütz:
- Enter the flawed PIN 3 times.
- Scorching-swap the machine SIM for an attacker-controlled SIM with identified PIN code.
- Enter the brand new SIM’s eight-digit PUK code.
- Enter the brand new machine PIN.
- Presto! The machine unlocks.
For his efforts, Schütz stated he was awarded a $70,000 bug bounty, together with bragging rights.