Tracked as CVE-2022-20465, the security bug was resolved as part of the November 2022 Android patches, and could have allowed an attacker with physical access to a device to unlock it in minutes.
The issue, which Schutz accidentally discovered, could allow an attacker to unlock an Android phone by triggering the SIM PIN reset mechanism, which requires the user to enter a PUK code.
In this scenario, an attacker with physical access to a locked device would have to hot-swap the SIM card with one they own, and then enter the wrong personal identification number (PIN) three times to trigger the PIN reset process, which prompts for the SIM’s 8-digit personal unlocking key (PUK) code. The attacker is assumed to have the PUK code if they insert their own SIM card into the phone.
Once the attacker enters the PUK code, they are provided with full access to the device, without being prompted to provide the phone’s PIN, a password, or an unlocking pattern.
The vulnerability, a lock screen bypass due to an error in the “dismiss and related functions of KeyguardHostViewController.java and related files”, impacts devices running Android 10, 11, 12, and 13. Google describes the issue as an elevation of privilege bug.
The underlying issue, Schutz says, is a race condition vulnerability in a .dismiss() function called after the PUK code has been entered. The function is meant to dismiss the current security screen, which should have been the PUK prompt.
Because of this vulnerability, however, the component monitoring the SIM state in the background would change the security screen right before the .dismiss() function was called, resulting in the PIN/password/pattern screen being dismissed instead and the phone being unlocked.
“It seems like this background component set the normal e.g. fingerprint screen as the active security screen, even before the PUK component was able to get to its own .dismiss() function call. By the time the PUK component called the .dismiss() function, it actually dismissed the fingerprint security screen, instead of just dismissing the PUK security screen, as it was originally intended,” Schutz says.
To address the vulnerability, Google modified the .dismiss() function by adding a new parameter, where the function caller specifies which type of security screen should be dismissed.
“In our case, the PUK component now explicitly calls .dismiss(SecurityMode.SimPuk), to only dismiss security screens with the type of SimPuk. If the currently active security screen is not a SimPuk screen (because maybe some background component changed it, like in our case), the dismiss function doesn’t do anything,” Schutz notes.
The researcher reported the vulnerability to Google in mid-June. A few months later, the internet giant told him that the report was a duplicate.
Schutz says he was able to demonstrate the issue in front of several Google engineers in September at an event and that, after engaging again with the bug bounty program team, the internet giant decided to expedite the release of patches and to award him $70,000.
The researcher confirmed the vulnerability on Pixel 5 and Pixel 6 phones, but other Android devices might be impacted as well. Updating to an Android security patch level of 2022-11-05 or later resolves the bug.