The November 2022 Android replace features a remediation for a bug that would permit an attacker to bypass the Google Pixel lock display.
The researcher behind the invention, David Schütz, reported the Google Pixel safety flaw again in June after a collection of errors led him to discovering the vulnerability. He had forgotten his PIN after his system ran out of battery and died. After reboot, Schütz entered an incorrect PIN quantity thrice, triggering the SIM card to lock itself.
Luckily, he defined in a weblog publish this week, he had the unique SIM packaging with the manufacturing unit private unlocking key (PUK) code to open the SIM card. From there he was capable of acquire entry to the system with out ever getting into the right PIN.
“After I calmed down somewhat bit, I spotted that certainly, this can be a bought d*mn full lock display bypass, on the totally patched Pixel 6. I bought my previous Pixel 5 and tried to breed the bug there as nicely. It labored too,” he wrote.
The Google Pixel lock display bypass vulnerability is tracked below CVE-2022-20465. Here are the bypass steps, in accordance with Schütz:
- Enter the incorrect PIN thrice.
- Hot-swap the system SIM for an attacker-controlled SIM with identified PIN code.
- Enter the brand new SIM’s eight-digit PUK code.
- Enter the brand new system PIN.
- Presto! The system unlocks.
For his efforts, Schütz stated he was awarded a $70,000 bug bounty, together with bragging rights.