Anyone Can Unlock Your Android Without a Password

Your phone’s lock screen should protect you from the outside world (and accidental unlocks in your pocket). When it is locked, your phone cannot be opened without a passcode, face scan, or fingerprint. If you lose your phone or someone snatches it from you, you can be sure they can’t do anything with it. Except now they can, thanks to a recently discovered vulnerability that allows anyone to bypass the lock screen of an Android device.

According to Bleeping Computer , cybersecurity researcher David Schuetz has discovered a way to unlock the Google Pixel 6 and Pixel 5 without having to know the passcode. This happened after his Pixel 6 ran out of battery and after he entered his PIN incorrectly three times. Then his SIM was locked, so he entered the PUK (Personal Unlock Key) to restore it.

However, once the SIM was restored, the Pixel asked him to scan his fingerprint. This shouldn’t happen as the Pixels (like most phones) require you to enter your passcode to unlock it after a reboot. You should not be able to use your fingerprint to unlock your phone until one successful unlock with a passcode has been completed.

From there, Schütz realized that there was a legitimate security breach here. If an attacker inserts their SIM into a victim’s Android device and then enters the wrong SIM PIN three times, they can enter their SIM’s PUK to generate a new SIM PIN. Once they do that, they completely bypass the lock screen and have access to the phone. You can watch the hypothetical attack play out in the video below:

Pixel 6 Complete POC Lock Screen Bypass

Schutz brought this flaw to Google’s attention back in June of this year, but it took the company five months to finally release the patch. However, it’s good that there’s a patch: it’s not clear how long this vulnerability has actually been around, potentially exposing millions of Android devices.

How to Fix the Latest Lock Screen Security Flaw on Android

If you have a phone running Android 10, 11, 12, or 13, you need to install the November 2022 security update to fix this vulnerability. If you’ve already installed the patch, you’re done! But otherwise, install it as soon as possible.

To install a security patch on Android, go to Settings > System > System Update and let the OS look for a new update. If it is, you can download and install it from here. You can also check for security updates by going to Settings > Security > Google Security Check .

More…

Leave a Reply