.
The Google Pixel 7 series launched earlier this year, arriving with considerable updates over the models released last year. There were many reports that pointed to various flaws in the Pixel 6 series devices, which had allegedly been resolved with the launch of the Google Pixel 7. However, it seems that the Mountain View giant’s smartphones are not that safe.
An ethical hacker has discovered a lock screen bug that affects every Google Pixel. David Schutz detected the problem on his Pixel 6. However, the hacker believes that the vulnerability exists on all the company’s mobile phones. Fortunately, the bug was fixed in the security update released on November 5, 2022.
Google Pixel security flaw has already been fixed by the manufacturer
David Schutz claims that a bug, which has now been fixed, let anyone bypass the lock screen on all Google Pixel smartphones.
“The issue allowed an attacker with physical access to bypass lock screen protections (fingerprint, PIN, etc.) and gain full access to the user’s device.” Schutz stated that this vulnerability is identified as CVE-2022-20465 and could affect other Android vendors as well.
Schutz accidentally encountered the bug while texting on his Pixel 6, which only had 1% battery left. After the battery ‘dies’, he plugged the phone into the charger and turned the device back on. Schutz noticed that the Pixel 6 asked for the SIM card PIN code when starting up. He entered the incorrect code three times, which resulted in him having to enter the card’s PUK code to get it working again.
After entering the PUK code, the Google Pixel asked him to set a new PIN, and that’s when Schutz noticed something was wrong. After a fresh start, the Pixel’s lock screen showed the fingerprint icon instead of the usual lock screen that requires you to enter your PIN. Schutz claimed that the device accepted this fingerprint, which shouldn’t have happened after a fresh boot. “After accepting my finger, it got stuck on a weird ‘Pixel is starting…’ message, and it stayed there until I restarted it again,” he added.
To make sure this wasn’t a one-time problem, the hacker ran the same process several times, just to get the same result. In one of the tests, the phone broke down and opened the home screen instead of the usual lock screen. He claims to have performed the same process on his Pixel 5 and got the same results there too.
“Since the attacker could simply bring their own SIM card with a PIN blocked, nothing more was needed than physical access for them to gain free access. The attacker could simply change the SIM on the victim’s device, and perform the exploit with a SIM card that had a PIN blocked and for which the attacker knew the correct PUK code,” Schutz said in his post.
Schutz contacted Google, who stated that he was the second person to report this bug. As a reward, the company gave him $70,000 as it was his report that got them to start working on the bug.
Now that Google has fixed the bug, you are advised to update to the latest November security patch that is being released for eligible Google Pixels.
Other interesting articles:
.
