15 Nov , 2022 By : Monika Singh
Pixel smartphone users, beware! A new vulnerability has been discovered by cybersecurity researcher David Schutz. This flaw will allow anyone to unlock the lock screen and open your Pixel device without your fingerprint or password.
Hungary-based David Schutz, in his recent blog post, has labelled the vulnerability with the number CVE-2022-20465 and said that he is not quite sure if it will affect other android smartphones as well. Although, he was able to find out this flaw only on a Pixel device. He noted that if anyone gave him a locked Pixel device, he would give it back unlocked.
He further added that Google had rectified this issue on November 5, 2022, in a security update. According to him, he had reported this flaw in June which means it took five months for the company to fix this issue.
He carried out this experiment on Google Pixel 6 and Pixel 5 smartphones.
What went wrong?
He found the vulnerability when one day his phone ran out of battery. After which, he connected his device’s charger and booted the phone. Upon doing this, he was asked to enter the security PIN for the SIM card which he didn’t really remember. So, he ended up putting in the wrong PIN three times.
After this, the smartphone asked him to put in SIMS’s PUK code for the smartphone to unlock. For those unaware, the PUK code referred to as Personal Unlocking Key is used in resetting the PIN number of the phone. It is used to protect your mobile SIM card. PUK code is unique to your SIM card.
Coming back, once he put in the PUK code he noticed something. The smartphone had started displaying the fingerprint icon which was not supposed to happen.
What happened next?
Schutz repeated the process without rebooting the phone. He then removed the SIM tray and re-inserted it back while the device was on. He once again typed the wrong PIN three times and then the PUK and after that set the new PIN.
Surprisingly, the phone unlocked and took him to the home screen while the phone was still locked. To check this process, he repeated this process multiple times and each time got the same result.
After this incident was reported in June, Google fixed the issue on November 5, 2022, which means it took five months for the company to fix this issue.
Google has rewarded this cybersecurity researcher $70,000 for privately reporting this flaw under its bug bounty program