This Google Pixel bug fix could have spelled trouble for all Android phones
>
A vulnerability affecting “seemingly all” Google Pixel phones reportedly allowed unwanted newcomers to access a locked Pixel device.
According to an blog post (opens in new tab) by cybersecurity researcher David Schütz, whose bug report convinced Google to take action, the bug was not patched for the Android phones in question until a security update dated November 5, 2022, about six months after submitting his bug report.
The vulnerability, which is tracked as CVE-2022-20465 (opens in new tab)allowed an attacker with physical access to bypass the lock screen protections such as fingerprint and PIN and gain full access to the user’s device.
How did the exploit work?
Schütz, who claimed that another researcher’s earlier bug report highlighting the problem was ignored, said the exploit was simple and easy to copy.
It involved locking a SIM card by entering the wrong PIN code three times, reinserting the SIM card tray, resetting the PIN code by entering the PUK code of the SIM card (which should be in the original packaging) and then choose a new PIN.
Because the attacker could simply bring his own PIN-locked SIM card, Schütz said nothing other than physical access was needed to carry out the exploit.
Potential attackers could simply swap such a SIM card into the victim’s device and perform the exploit using a SIM card that had a PIN code and the attacker knew the correct PUK code for.
To Google’s credit, despite the seriousness of the exploit, Schütz claims that after he submitted a report detailing the vulnerability, Google acted on the exploit within 37 minutes.
While Schultz did not provide any evidence, he stated that other Android vendors may have been affected. This is certainly possible since Android is an open source operating system.
This isn’t the first time a security researcher has revealed serious security flaws in Android phones either.
In April 2022 Check Point Research (opens in new tab) (CPR) revealed a flaw that, if not patched, could have left a large number of Android phones vulnerable to remote code execution, due to vulnerabilities in the audio decoders of Qualcomm and MediaTek chips.