Nov 14 – Cyber security researcher David Schutz happened upon a way to bypass an Android phone’s lock screen on his fully patched Google Pixel 6 and Pixel 5 phones. In short, Schutz’s discover enables anyone with physical access to a device to unlock it.
To get past the Android lock screen is simple. It requires a five-step process that does not take the average person more than a few minutes.
Google has resolved the security issue via its latest Android update, however the lock screen has been vulnerable for at least six months.
The Android unlock discovery
According to Schutz, he discovered the flaw after his Pixel 6 ran out of battery, and at which point he mis-typed his PIN three times, then recovering the locked SIM card using the PUK (Personal Unblocking Key) code.
After unlocking the SIM and selecting a new PIN, the phone did not request for the lock screen password. Instead, it simply requested a fingerprint scan.
For security reasons, when Android phones reboot, they always ask for a password or a pattern. The jump straight to fingerprint lock was out of the ordinary.
Security vulnerability implications
The impact of this security vulnerability is considered extensive. It affects all devices operating on Android versions 10, 11, 12 and 13 that haven’t been updated in accordance with November 2022’s patch releases.
While physical access to a device is an essential in order to exploit this flaw, the flaw could carry significant implications for people with abusive partners, those under law enforcement investigations, owners of stolen devices…etc.
According to the research, a malicious person could simply use their own SIM card on the target device, enter the wrong PIN three times, punch in the PKU number, and then gain device access.