Right on schedule, Google released its November security update for Pixel phones — and to look at the short list of user-facing changes, it would appear that this is little more than a routine release to address a few bugs, including fixes to reduce power consumption, screen flickers, and an occasional app crash. However, this update also fixes a pretty serious vulnerability that could allow a person to bypass the lockscreen of many Android phones in less than a minute without any software or special tools.

This method for bypassing the lockscreen was discovered by David Schütz. The surprisingly straightforward process only requires physical access to a vulnerable phone and an extra SIM card that has been PIN-locked. All that’s required is to swap in the extra SIM card, enter an incorrect code for the SIM three times, and finally enter the PUK code (usually found on the wallet-sized card the SIM came from). And with those simple steps, the lock screen disappears. David demonstrates the process in the video below.

How it works

Details of how this vulnerability occurs are spelled out with more detail in David Schütz’s blog post — but to oversimplify it, the problem stems from the way Android implements the lockscreen, or more accurately, the narrow category of security screens that includes the standard lockscreens and PUK code entry screen. When a security screen is to be shown, like after booting up or turning the screen off and back on, Android stacks it on top and doesn’t allow the user to dismiss it without passing the conditions (e.g. a valid fingerprint or passcode). Once the conditions are met, the system broadcasts a signal to dismiss the security screen at the top of this stack and return to any remaining security screens, or to an app or home screen if there are no other security screens on the stack.

The unconventional issue leading to this vulnerability is caused by a system service that listens for changes to the status of the SIM card. Once the PUK code is accepted and the PIN code is reset on the SIM card, the SIM becomes active and a system service interrupts by closing the PUK security screen and setting the regular lockscreen back to the top of the stack. However, when the operating system finished processing the results of the PUK security screen, it still broadcast a message to dismiss a security screen. Since only one security screen remained, the regular lockscreen, the system accidentally dismissed it and allowed the user full access to the device.

What is affected?

There are some caveats to this bypass, particularly that it’s only fully effective on a device that has been unlocked since the last time it booted up. If it hasn’t been unlocked, it’s still possible to bypass the lockscreen, but private data and most configuration settings will be inaccessible, usually resulting in most software on the phone malfunctioning until it is rebooted. It’s still unclear if this bypass will work on devices with Advanced Protection Program (APP) enabled.

Furthermore, the hack was initially discovered on a Pixel phone, but the bug lives in the code available in the Android Open Source Project (AOSP). As a result, any devices running software based on this code may also be vulnerable. Some people have already reported devices running Lineage are vulnerable, and likely GrapheneOS as well. However, some reports indicate recent Samsung devices are not.

Google has published a bug fix

Google’s fix for this bug is fairly simple. Rather than augmenting the behavior of the SIM activation system service, which may leave room for other bugs, the Android team augmented the broadcast message to require a new parameter that specifies the type of security screen that should be dismissed. In doing so, there should be no risk of accidentally dismissing the wrong type of screen from the stack.

This vulnerability is formally registered under the name CVE-2022-20465. Google has published the fixes in the Android 13 branch on AOSP, but were also backported to the Android 10, 11, and 12 branches.

Google generally communicates warnings about vulnerabilities to its hardware partners ahead of public releases, so it’s likely that most manufacturers will be rolling out security updates in the near future to any devices that may be vulnerable.

$70,000 bug bounty reward

For reporting the issue, Google paid out $70,000 USD to David as part of its Bug Bounty Program, which has paid out several million over the years. Unfortunately, the process didn’t go as smoothly as it probably should have. Per David’s retelling of the events, he attempted to report the issue about five months ago, at which time Google claimed it was a dupe and not eligible for a reward. Months later, after demonstrating the issue to some Google employees and subsequently following up with a deadline for a public disclosure, it was finally patched and resolved.

This situation demonstrates the need for regular, long-term security updates for phones that are likely still in service. Naturally, anybody with a potentially vulnerable phone should install the latest security updates when they become available. In the meantime, it's not a viable strategy for regular use, but rebooting a phone without unlocking it should prevent people from accessing your private data.