Google pays researcher $70,000 to discover simple Android lock screen bypass bug

What happened now? If you are looking for a way to make a lot of money very quickly, you can try to find a security vulnerability and get rewarded for finding bugs. One researcher received a $70,000 payout from Google after he discovered a way to unlock Android phones without a password, and did it by accident.

Hungarian researcher David Schütz reported a high-severity bug tracked as CVE-2022-20465which is described as bypassing the lock screen due to a logical error in the code that could result in local privilege escalation without the need for additional execution privileges.

Although the exploit requires the attacker to have an Android device, it is an effective way to bypass a screen lock protected by a PIN, pattern, password, fingerprint, or face. Schütz discovered flaw after he traveled for 24 hours and his Pixel 6 died while he was sending a series of text messages.

After plugging in the charger and rebooting the device, the Pixel asked for a SIM PIN, which is separate from the screen lock code; it is designed to prevent someone from physically stealing your SIM and using it. Schutz couldn’t remember his code, causing the SIM to be blocked after he entered three wrong numbers.

The only way to reset a locked SIM card is to use a personal unlock code or PUK. They are often printed on the packaging of the SIM card or can be obtained by calling the carrier’s help desk. Schütz used the first, which allowed him to reset the PIN. But instead of seeing a prompt for a lock screen passcode, the Pixel only asked for a fingerprint scan; Android devices ask for passwords/PINs after reboot due to security reasons.

Schütz experimented with this anomaly. He eventually found that replaying these steps without rebooting the device allows you to completely bypass the screen lock — it doesn’t even require a fingerprint. You can see the process in action above.

Schütz says the process worked on his Pixel 6 and Pixel 5. Google fixed it in the latest Android update on Nov. 5, but criminals could have exploited it for at least six months. All devices running Android 10-Android 13 that haven’t been updated to the November 2022 patch are still vulnerable.

Google can pay up to $100,000 to those who report lock screen bypass bugs. Schütz received the smaller amount of $70,000 because someone had already reported what he found, but Google couldn’t reproduce it.

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button