Android Full Lock Screen Bypass - Pixel | Demo + Explanation | CVE-2022-20465
🎥 Video Link
Links referenced for video
- https://feed.bugs.xdavidhu.me/bugs/0016 - Complete Lock Screen Bypass on Google Pixel devices post by David Schütz
- https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/ - Accidental $70k Google Pixel: Lock Screen Bypass - by David Schütz
- https://nitter.net/xdavidhu/status/1590626467414958080 - Tweet by David Schütz announcing discovery of vulnerability
- https://source.android.com/docs/security/bulletin/2022-11-01 - Pixel Update Bulletin—November 2022
- https://android.googlesource.com/platform/frameworks/base/+/ecbed81c3a331f2f0458923cc7e744c85ece96da - Technical details regarding fix
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20465 - CVE-2022-2046
- https://support.google.com/pixelphone/answer/4457705 - Support schedule for Pixel Phones
- https://nitter.net/DanielMicay/status/1590941219462742018 - Tweet by Daniel Micay regarding scope of vulnerability
- https://grapheneos.org/features#auto-reboot - GrapheneOS Auto reboot feature
- https://grapheneos.org/ - GrapheneOS home page
Please excuse any grammatical errors. I used a tool to generate the transcript and haven't had a chance to read through it yet.
On November 10 2022, I saw a tweet circulating from someone named David shifts that he had found a vulnerability to unlock any Google Pixel. He did a great write up on his blog, including the timeline when he disclosed it to Google explanation of how he found it and decode logic exploits, as well as a demonstration video, all of which I will link down below. The vulnerability exists in the way that the SIM card is unlocked on Android OS using the PUK code, which I will explain a little bit more later, I want to be clear that I have nothing to do with actually discovering this vulnerability. I'm just discussing what David shared publicly. And while I was debating and just talking about the video that he shared, it's always a lot cooler to actually show something than just to talk about it, so I decided to test it out myself. To exploit this vulnerability, you need to have a SIM card with a pin which is easy enough anyone can set that through the settings and you also need a PUK code which is either written on the packaging that your SIM card comes in, or you need to call your carrier to get that information. The PUK code is used if you have a pin set on your SIM card and you forget it. Once you enter the PIN incorrectly three times you need to enter the PUK code to unlock it and to set a new pin. The easiest way to test this would be to use the SIM card I already have for my existing cell phone service. But it turns out that my carrier does not keep the PUC codes or does not give them out to users. If you lock yourself out of your SIM card, they just send you a new one. So that was not going to be an option. My next choice was to buy a prepaid SIM card and hope that it had the PUK code printed on the actual packaging. So the first prepaid SIM card I bought from Target since I had to go there anyways, I opened the packaging and there was no PUK code written on it. That means I would need to reach out to the carrier to get the PUK code. So I message them on Messenger through their website. I told them that I set a PIN code I forgot it and locked my sim before I was able to set up service. I asked them if I could get the PUK code to unlock it. They said absolutely we can sure do that for you. So I got pretty excited because usually things do not go so smoothly on a first try. And then the next message said we can give you the PUK code as soon as you sign up for service. After I pushed a few more times the representative kindly closed down the chat and I was out of luck. So I looked up where the nearest Best Buy was and I headed over there in the hopes that they would have a few more options. Thankfully, Best Buy did have more options. So I bought three different ones so I didn't have to keep going back. I live in Florida, so I'm pretty sure that the cashier thought I was a dealer buying so many prepaid cards all at the same time. But regardless, I got to my car tore up in the packaging for the three SIM cards and none of them had the PUK code printed on it.
So when I got home, I checked and one of the three carriers had live chat available. So that's the one I started with. I use the exact same story as earlier that I set a PIN code, I forgot it and I needed the PUK code so I could set up service. Thankfully, this time, the support individual was more than happy to give me the code. So we were all set the test. If you watch the recording that David released, it took him one attempt to actually get the screen to unlock on his device, which was a pixel six. For me, I was testing on a pixel six A where I intentionally flashed an out of date version of Android OS that had the October 2022 security patch, which means it was vulnerable to this exploit. And while it did end up working and unlocking my device, as you'll see, it did take me about 10 minutes to actually get it to work. So the first thing I'm doing is failing the fingerprint authentication so that a PIN code is required so that I can show you that the phone is indeed locked. This is not required but make the demonstration a little more realistic. So the next step is to eject the SIM card slot on the device and then insert the SIM card that you set a PIN code on and that you know the PUK code for once you place that in the device, you're going to get this screen asking for the sim pin. And what you want to do next is incorrectly enter the sim pin three times as fast forwarding this part because I'm adjusting my camera and then after you enter the sim PIN code and correctly three times you're presented with this screen which is asking for the PUK code. You then enter the PUK code correctly, which lets you set a new pin. Once you do that, you'll see the unlocking SIM card. And on the screen you might have seen it it was quick. But we saw the lock screen glitch and show us the Settings screen, which is the screen I have open currently on the pixel six A that I'm testing this on, this is the part that I didn't see in David's video, at least on the six A it took me multiple times as you'll see, to actually get the lock screen to disappear. So I don't know exactly what's happening in the background that's making this not unlock on the first time. But at this point I'm going to fast forward my next attempts so your eyes do not bleed from watching the same thing over and over again. And so while we wait for my unlock to be successful, let's talk about exactly how this works. From what I understand at this time. This works because of a race condition that's occurring in the sim unlock process. And don't worry if you don't completely understand my explanation the blog at LinkedIn the district Shouldn't goes into more details if you want to read up on it. But on Android, there's a concept of security screens when the fingerprint screen is displayed. That's a security screen. When the pin on lock is displayed, that's a security screen. These screens can also be layered on top of one another. So in this example, we have the PIN code security screen. And on top of that is the PUK code security screen. When the sim puck reset is successful, it issues a dismiss function, the dismiss function it calls does not specify which security screen is going to dismiss. So whichever security screen is active is the one that is dismissed. So what appears to be happening is that the puck reset is completing successfully, the puck reset is then calling the dismiss function. But something is changing in the background that's making the PIN code security screen the active security screen instead of the puck code security screen. So therefore, instead of the puck security screen being dismissed, the PIN code security screen is dismissed and the phone is unlocked. And so we're now back to normal speed because this is the attempt that unlocks my device. And there's a couple things I want to point out that I noticed. So right after you enter the third sin pin incorrectly, the lock screen actually flashes and you can see the time there. That doesn't happen on the previous attempts that were unsuccessful. The previous attempts would instantly show the PUK code the screen, and whenever that happened, the unlock was unsuccessful. So we can see here unlocking SIM card, and we now see the screen that was left open on my Pixel six A, the device is completely unlocked. We can swipe up see all the apps the device works as if we successfully unlocked it. So the main reason I made this video is to try and communicate that timely security updates matter vulnerabilities exist in all software just waiting to be discovered. And timely security updates are the only way that you can ensure that you're protected quick updates might seem like a boring feature to look for in a mobile OS, but you need them. The fix for this is in the November 2022 security patch from Google to check if your Android device is patched, you can go into settings, about phone, tap on Android version, you can then look at the date for the Android security update. And if your phone isn't up to date, update it.
If you're using an OS with delayed updates, consider switching to another OS with faster updates. And if your phone is no longer supported with security updates, I guess this is more of an FYI. So that you understand the risk of using end of life hardware, you can't have privacy without security. And this is just one example to show that. One example of an OS that still isn't patched yet is lineage OS. I just installed this last night on a pixel five A. And as we can see, it's still in the October 2022 security update, which means it is vulnerable. It's also running android 12, which in my testing works every time you try this exploit. And as of the time of this recording, which is November 12 2022. I did confirm that graphene OS calyx, OS and stock Android OS are all up to date and are no longer vulnerable to this exploiting. The last thing I want to talk about is a feature on the OS that I recommend and use, which is Griffin OS. The feature is called Auto reboot. You can access this by going to your Settings Security, and selecting auto reboot. The option you select determines how long until your phone auto reboots after the last successful unlock. So in my case, if I don't unlock my phone in a 12 hour time period, it reboots. Now, you might be asking yourself, Josh, how's this supposed to help me if the lock screen can be bypassed. So it's important to remember that if you just restarted your device, and you have not entered your PIN code successfully, at least once, then the user data on your device is still encrypted. And so while this exploit bypasses the lock screen, it has nothing to do with the encryption of your data. So as an example, I use this exploit after a reboot, and we can see the phone just hangs on pixels starting. The phone never gets past this point because the user data is still encrypted and safe. So let's say that you were out somewhere in October, you lost your phone and someone found it. A few weeks later, it's November, the individual that found your device came across this exploit and wants to see if they can get into your phone. So luckily, you had the auto reboot feature enabled 12 hours after the individual found your device and rebooted itself. And while they were able to get past the initial lock screen, since your device was not fully up to date, that individual was not able to actually get your data since it was still safe and encrypted. And so while this protection is imperfect, that does decrease the window of opportunity for the malicious actor.
So as far as the scope of this vulnerability goes, Daniel McKay covered that in a tweet. I'm paraphrasing what he shared, but this is an Android vulnerability, not something specifically related to the Google Pixel, depending on what a vendor altered in their fork of aos P. They may not be impacted by this, but if they use close to unaltered aos P will likely be impacted. And lastly, I want to mention that while this might seem like a basic oversight by a developer vulnerabilities like this exist in all code and will continue to be discovered, so keep your software up to date and do protection so keep your software up to date to make sure that you stay protected