According to Schütz, all Pixel phones may be vulnerable to this issue. He notified Google about the bug several months ago, but the company only addressed it in its November security update for Pixel phones. Although Schütz is not the first person to report the issue, he received a $70,000 reward, as the company only started working on a fix after his report.
Accidental Discovery
Schütz accidentally discovered the Pixel bug, but he describes it as the “most impactful vulnerability” he has found to date. According to Schütz, one day, the battery of his Google Pixel 6 died while he was sending messages. He plugged the phone into the charger and restarted it but forgot his SIM PIN code. After three incorrect PIN entries, he had to enter a PUK code to unlock the SIM. Once he provided his PUK and created a new SIM PIN code, he noticed that his lock screen was different. “It was a fresh boot, and instead of the usual lock icon, the fingerprint icon was showing. It accepted my finger, which should not happen, since after a reboot, you must enter the lock screen PIN or password at least once to decrypt the device,” Schütz explained in his blog post. Concerned, he tested the exploit on his Pixel 6 smartphone, repeating the SIM PIN reset process multiple times. After going through it and forgetting to reboot his phone, he found he could bypass all lock screen protections. “This time the phone glitched, and I was on my personal home screen. What? It was locked before, right?” he wrote. Any attacker could insert a standard, PIN-locked SIM card into a phone, enter the PUK code, create a new PIN code, and have full access to the phone, Schütz explained. Upon analyzing the code for Android, it appears the coding error that caused the lock screen vulnerability is related to Android’s “.dismiss()” function, Schütz said. Android engineers fixed this issue by changing the code to “.dismiss(SecurityMode.SimPuk).” “This seems to me like a pretty elegant and robust solution to defend against this, and future race conditions as well,” Schütz noted.
Bug Was Left Unpatched for Months
Although Google’s Android VRP team found the code responsible for the bug just 37 minutes after Schütz reported the issue, the vulnerability was left unpatched for several months. It is worth mentioning that the Android security team confirmed the issue had been previously reported — this is why Schütz didn’t get the $100,000 reward for finding a lock screen bypass vulnerability. It begs the question, why was Google’s patching process painfully slow for such a significant security flaw? Schütz said he was shocked the issue was not addressed in the September security update for Pixel phones. “I felt like I worry and care so much more about the bug getting fixed than Google themselves,” he noted. Thankfully, Schütz was attending the ESCAL8 bug hunter event in London when the Pixel September security update was released, and he demonstrated the issue to Google engineers. It seems it was only at this point that the Android security team prioritized the bug. Google originally planned to release the fix in December, but Schütz insisted it should be released sooner “considering the impact.” “I was not expecting to cause this big of a code change in Android with this bug,” Schütz said. If you’re using the Pixel 4 or a newer version of Google’s smartphone, we strongly recommend that you patch your device with the latest security updates. Security researchers often find software vulnerabilities affecting smartphones. Sometimes, cybercriminals exploit these bugs before they are patched — that doesn’t appear to be the case in this instance. In November last year, Google released a patch for a high-risk vulnerability on Android that was actively being exploited by threat actors.