What if we tell you that the screen lock of your Android smartphone can be easily bypassed to leave your smartphone vulnerable to attackers? This is actually true and Google has Hungry-based cybersecurity expert David Schütz to thank for bringing this software bug to their attention. The bug, as stated by Google and Schütz, has now been fixed in the Google security update of November 5, 2022.
Tech researcher David Schütz revealed in his blog post that he was able to detect a vulnerability affecting all Google pixel smartphones that made it possible for any attacker to easily unlock the screen lock without knowing the passcode. Schütz claimed that the bug might not be limited to Pixel smartphones and there is a chance other Android devices also carry a similar software flaw.
In the blog post, Schütz divulged the details of his research process and mentioned, “The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device. The vulnerability is tracked as CVE-2022-20465 and it might affect other Android vendors as well. You can find my patch advisory and the raw bug report I have sent to Google at feed.bugs.xdavidhu.me.”
Most Android smartphones have a screen lock that allows smartphone users to set up a passcode, either numerical or a pattern, that locks the screen. Screen locks these days also have a form of face print or fingerprint. However, numerical passcode screen locks are probably the most common and widely used across the world. There is also a separate lock functionality for the SIM card inside the smartphone. This ensures that no one would be able to eject or physically take out the SIM card from the smartphone as long as the SIM is locked. This is often a numerical PIN lock. These SIM cards also have another personal lock unlock code that is used at times when a wrong PIN is entered consecutively three times on the smartphone.
It is also revealed that for the attackers to work around the bug, the smartphone must be at least once unlocked after the last time it was restarted. The bug can pose a threat of exploiting any Android device with a physical SIM slot. The research details, however, did not make it clear whether smartphones with eSIM also pose similar vulnerabilities.
Google has reportedly paid $70,000 to Schütz for finding out and reporting the Android smartphone bug privately to the company. The company is calling it “accidental” security but, which has now been fixed. Android smartphone users are now advised to update and install the security update in order to ensure that devices are shielded from the lock screen vulnerability.
According to one of the reports published in the media, the bug only affected devices running on Android 10 or later versions. Although Schütz’s blog post doesn’t mention any specific smartphone models except that the bug was found in Google Pixel phones, it is widely reported in the media that only Google Pixel 6 and Google Pixel 5 were compromised.
Schütz, in his blog post, reveals that Google informed him that his private report about the lock screen bug wasn’t the first time. Google had also received another report about the issue and Schütz’s research result was a duplicate report for them. However, Google still rewarded Schütz because it was only after his report that the company started to work on the fix.
Also Read: AnTuTu Unveils The Most Powerful Android Smartphones