David Schütz, a Hungary-based cybersecurity researcher, unintentionally discovered a way to get around the lock screen on his completely patched Google Pixel 6 and Pixel 5 devices, making it possible for anyone with physical access to the device to unlock it.
The good news is that Google fixed this flaw with a security update, which was made available on November 7. The bad news is that before the patch was released, the breach had been accessible to attackers for at least six months. These are the reasons why it is crucial to apply each and every security update.
Schütz claimed that when the battery in his Pixel 6 died, he accidentally discovered the security flaw. He mistyped his PIN three times before using the PUK (Personal Unblocking Key) code to unlock the locked SIM card. The PUK is used to change a PIN that has been misplaced or forgotten and is often printed on the SIM card packaging. The lock screen passcode or pattern is typically requested by an Android phone for security purposes after unlocking the SIM card and choosing a new PIN number. But because of the flaw, Schütz’s Pixel 6 requested a fingerprint scan instead which is considered unusual behaviour.
After some experimentation, he discovered that the fingerprint scan request would be skipped and the user would be able to access the home screen immediately if the device had been unlocked by the owner at least once since reboot. You can see Schütz exploiting the bug in his video below.
This security flaw is affecting all Android devices running versions 10, 11, 12, and 13 that haven’t been patched to the November 2022 level. Schütz was awarded $70,000 by Google for bringing this flaw to its attention. This vulnerability is formally registered under the name CVE-2022-20465.
Software updates can take a few minutes of our time and may not seem that vital, so it is simple to skip them. However, doing so opens the door for hackers to access your personal data, putting you at risk for identity theft, financial loss, damage to your credit, and other problems.