Researcher find a vulnerability affecting most Android phones |
Researchers accidentally discovered a serious vulnerability that affects most Android phones
A cybersecurity researcher has mistakenly discovered a vulnerability that affects most devices running Google's Android operating system.
Researcher David Schotts said he has found a way to bypass the lock screen on two of his smartphones, Google's Pixel 6 and Pixel 5. He added that the flaw allowed anyone with physical access to the device to unlock it.
As shown by Shots in the video, exploiting a lock screen vulnerability in an Android phone is a simple five-step process that takes no more than a few minutes.
Google patched the security issue in an Android update released last week, but the vulnerability has been exploited for less than six months.
Schutts said he encountered the error after his Pixel 6 phone ran out of battery, and after entering the wrong PIN three times, he was able to unlock the SIM card using the PUK code. After unlocking the SIM card and choosing a new PIN, the device does not ask for the lock screen passcode, it only asks to scan the fingerprint.
For security reasons, Android devices always require a password or pattern to lock the screen on reboot, so direct fingerprint unlock is not normal.
The researcher continued the experiment and when trying again without restarting the device, he found that it is possible to go directly to the main screen, that is, bypass the fingerprint, provided that the owner of the device has unlocked the device at least once since the restart.
It should be noted that the impact of this vulnerability is very far-reaching as it affects devices of all versions: 10, 11, 12 and 13 of the Android operating system that did not receive the November 2022 security update.
Although physical access to the device is a prerequisite for exploiting the vulnerability, it can still have serious implications, especially for the owner of a stolen device or a device that an attacker can access. An attacker can use their own SIM card on the target device, enter the wrong PIN three times, provide the PUK number and gain unlimited access to the victim's device.
Schutz notified Google of the vulnerability in June. The company did not release a patch until November 7, although it acknowledged the vulnerability and assigned the identifier CVE-2022-20465.
While Schutz's report was a duplicate, Google made his report an exception and awarded him $70,000 for finding the vulnerability.
Users of Android version 10, 11, 12 and 13 can fix the vulnerability by installing the security update that will be published on November 7.