The PIN code is usually considered sufficient security to block third parties and other malicious actors from accessing your Android smartphone. Until then, the security of the device has rarely been questioned, and one would have thought that in 2022, the PIN code was now a sufficiently proven security method that we no longer detect ways to circumvent it in the latest versions. from Android.
And yet, it is accidentally that the researcher David Schütz explains to have discovered a bug allowing to circumvent it. Following the discovery, the NIST database created a new entry CVE-2022-20465 in which the issue is rated as having a medium severity. Exploiting it presupposes physical access to the smartphone and not very discreet operations such as replacing the SIM card.
A bug with Android’s SIM security management allows smartphones to be unlocked without a code
David Schutz explains: “I realized the bug after 24 hours of travel. When I got home the battery was at 1%. I was in the middle of a series of text messages when the smartphone turned off. Frustrated, I then rushed to the charger and restarted the smartphone. Except that when the smartphone asked me for the PIN code, I could no longer remember it correctly”.
“I entered the wrong code too many times, and suddenly the SIM card got locked. I now needed the PUK code to unlock everything again. After having miraculously found the original packaging of the SIM card […] I entered the PUK code on my Pixel before choosing a new PIN. Once the procedure was completed, I found myself on the lock screen, but a detail caught my attention”remembers the researcher.
He pursues : “we were on a reboot, and there was still the icon meaning that we can unlock the smartphone with the fingerprint. The smartphone accepts my fingerprint […] then hangs on a weird message ‘the Pixel is starting…’”. Intrigued, he then tries to reproduce the same conditions with several variations to see if he can enter the smartphone without entering any PIN code.
After a few tries, he finds himself on the home screen of the unlocked smartphone, having simply swapped the SIM card and retrieved the PIN code by entering the PUK code. The manipulation works on Pixel 6 and potentially on all recent Android smartphones. Fortunately, thanks to the researcher’s report, a patch is already available – and should be offered by all smartphone manufacturers.
The patch is the November 5, 2022 Android patch. You are strongly advised to install it as soon as it is available on your device – especially if you work with data or sensitive topics.