Google Pixel Phone Lock Bypass

Security researcher David Schütz, discovered a vulnerability that could allow an attacker to unlock any Google Pixel phone without knowing its passcode! This finding earned him a $70k bug bounty from Google.

The vulnerability tracked at CVE-2022-20465 could allow a potential attacker to bypass lock-screen protections such as fingerprint or PIN authentication and obtain physical access to a target device.

- Advertisement -

How Schütz came across this vulnerability

David Schütz explained in his post that he came across this issue when he forgot the PIN code of his Pixel phone. He then had to use the PUK code to re-gain access.

“It was a fresh boot, and instead of the usual lock icon, the fingerprint icon was showing,” Schütz said. “It accepted my finger, which should not happen since, after a reboot, you must enter the lock screen PIN or password at least once to decrypt the device.”

After accepting his finger, the device crashed with a weird “Pixel is starting…” message, which Schütz addressed with a forced reboot.

Further investigation revealed the security vulnerability

After further investigation of this issue, he forgot to reboot the phone and began from a normal unlocked state, locked the device, and hot-swapped the SIM tray, before carrying out the SIM PIN reset process.

After following this sequence before entering the PUK code and choosing a new PIN, Schütz was presented with his unlocked home screen. The same method also worked on a Google Pixel 5.

“Since the attacker could just bring his/her own PIN-locked SIM card, nothing other than physical access was required for exploitation. The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.”

Lockscreen bypass PoC

The bug was fixed on November 5, allowing Schütz to disclose his findings and a video demonstrating the flaw.

So, make sure you always have your phone updated with the latest software from your vendor.

Exit mobile version