A security researcher has found a serious vulnerability in Google’s own smartphones. Hackers can easily unlock the device with it.
Usually unlocking methods like password, numeric code or biometric authentication are quite secure. But now a security researcher has discovered that hackers can easily bypass the screen lock in Google Pixel smartphones.
A SIM card is enough to unlock the smartphone
In a post on his own blog, ethical hacker David Schulz explains how he used a SIM card to break the lock. Ethical hackers are people who hack devices to find vulnerabilities and report them to companies.
Schulz accidentally encountered a vulnerability in the screen lock after his Google Pixel 6 turned off due to a low battery. When restarting, he entered the PIN for the SIM card incorrectly three times, so he had to look up the PUK and set a new PIN. After that, users usually have to enter the passcode or password set for the screen lock to unlock the smartphone after the restart. Instead, Schulz’ Pixel 6 displayed the fingerprint icon directly. The smartphone could be unlocked, but got stuck with the message “Pixel is starting”.
So it was clear that something was wrong. As a security researcher, Schulz had to investigate the matter. He repeated the process several times and the Pixel 6 kept getting stuck on “Pixel is starting”. In one of the attempts, however, Schulz forgot to restart the smartphone and instead locked it again with the power button. He swapped the SIM, entered the wrong PIN three times and chose a new PIN. But instead of displaying the fingerprint icon, the smartphone jumped straight to the home screen. So Schulz was able to use his Google Pixel 6 without even seeing the screen lock. He replicated the same process on a Pixel 5 – with the same result.
Google fixes lock screen vulnerability
In fact, Schulz has found what is probably one of the most serious security gaps in Android history. Because hackers can use it to bypass the screen lock on Google smartphones by simply inserting their own SIM card.
Schulz immediately reported the vulnerability to Google. According to his blog post, he was the second person to find the bug. But apparently his knowledge was crucial for Google to close the security gap. The company has now eliminated the CVE-2022-20465 vulnerability with the current security patch dated November 5, 2022.
TECHBOOK therefore strongly advises installing the patch as soon as possible. It is available for Pixel 4a and newer. You can install the patch manually at settings>system>system update.
It is currently still unclear whether older Google Pixel smartphones are also affected by the faulty screen lock and should receive the security patch. According to Google Support, the Pixel 4 (XL) has not received any security updates since this month. As soon as TECHBOOK receives a response from Google, we will update this article accordingly.