Bypass Dangerous Screen Lock With SIM Card Swap - Update Android Now!  - Naked Security

Bypass Dangerous Screen Lock With SIM Card Swap – Update Android Now! – Naked Security

A bug bounty hunter named David Schütz posted a file Detailed Report He describes how he bypassed swords with Google for several months due to what he saw as a serious security vulnerability in Android.

According to Schutz, he stumbled upon the entire Android lock screen bypass bug quite by chance in June 2022, under real-life conditions that could have easily happened to anyone.

In other words, it was reasonable to assume that other people might learn about the bug without intentionally looking for bugs, making its discovery and public disclosure (or private abuse) more likely than usual.

Unfortunately, it wasn’t patched until November 2022, which is why it wasn’t revealed until now.

battery failure accident

Simply put, he found the error because he forgot to turn off his phone or charge it before setting off on a long trip, leaving the device unnoticed to run out of juice while on the road.

According to Schutz, he was rushing to send some messages after he got home (we think he was on a plane) with a tiny amount of power left in the battery…

…when the phone died.

We’ve all been there, training to get a charger or a spare battery pack to turn the phone back on to let people know we’ve arrived safely, waiting when luggage is retrieved, arriving at the train station, expecting to be home in 45 minutes, can stop at the stores if anyone needs desperately into anything, or anything we have to say.

And we’ve all struggled with passwords and PINs when we’re in a hurry, especially if they’re codes we rarely use and haven’t developed a “muscular memory” to write in.

In Schutz’s case, it was the humble PIN on his SIM that struck him, and because SIM PINs can be shorter than four digits, they’re protected by a hardware lock that limits you to three guesses at most. (We’ve been there, done it, and locked ourselves in.)

Next, you need to enter the 10-digit “Principal Personal Identification Number” known as PUK, which is an abbreviation Personal unlocking keywhich is usually printed inside the packaging that the SIM card is sold in, making it highly tamper-proof.

To guard against PUK guessing attacks, the SIM card automatically dries itself after 10 wrong attempts, and needs to be replaced, which usually means heading to a mobile store with identification.

What did you do with this package?

Fortunately, because he wouldn’t have found the error without it, Schutz located the original SIM card packaging hidden somewhere in a locker, scratched the protective tape blocking the PUK, and wrote it down.

At this point, since he was in the process of starting the phone after it ran out of power, he should have seen the phone lock screen prompting him to type in the phone unlock code…

… But, instead, he realized that it was so In the wrong type of lock screenBecause it was giving him a chance to unlock the device using only his fingerprint.

It’s only supposed to happen if your phone gets locked out during regular use, and it’s not supposed to happen after a power outage and restart, when the entire passcode (or one of the “pattern codes” for swipe to unlock.) is re-authenticated.

Is there really a “lock” in your lock screen?

As you probably know from Many times we wrote about him lock screen bugs over the years At Naked Security, the problem with the word “lock” in the lockscreen is that it simply isn’t a good metaphor to represent the complexity of the code that runs the process of “locking” and “unlocking” modern phones.

The modern portable lock screen is like the front door of the house which has a high quality deadbolt lock…

…but also has a mailbox (mail slot), panes of glass to let in light, a cat hood, a lockable spring-loaded lock that I’ve learned to rely on because a loose lock is a bit of a hassle, and an external wireless doorbell/security camera that’s easy to steal though It contains the Wi-Fi password in plain text and the last 60 minutes of video footage that was recorded.

Oh, and in some cases, even a seemingly secure front door will have keys “hidden” under a doormat anyway, which is pretty much the situation Schutz found himself in on his Android phone.

Twisted lanes map

Modern phone lock screens are not so much about locking your phone as restricting your apps to limited operating modes.

This typically allows you, and your apps, to access the lock screen to a plethora of “private status” features, such as activating the camera without un-tapping, or having a curated set of notifications or email subject lines appear where anyone can see them without an icon the traffic.

What Schutz encountered, in a not-quite-excluded sequence of operations, was an error in what is known in jargon as the lock screen state machine.

A state machine is a kind of graph, or map, of the conditions in which a program can be, along with the legal ways in which the program can go from one state to another, such as switching a network connection from “listening” to “connected”, then From ‘Connected’ to ‘Verified’, or switches phone screen from ‘locked’ to either ‘Unlockable with fingerprint’ or ‘Unlockable but passcode only’.

As you can imagine, state machines for complex tasks get complicated quickly, and the map of different legal paths from one state to another can end up full of twists and turns…

… and sometimes strange secret passages that no one noticed during the test.

In fact, Schutz was able to exploit his inadvertent detection of a PUK into a general lock screen bypass in which anyone who had ever picked up (or stolen, or had short access to) a locked Android device could trick it into the unlocked state armed with something more than a SIM card. Their own new paper clip.

In case you were wondering, the paperclip is to take out the SIM that is already in the phone so that you can insert the new SIM and trick the phone in case “I need to request a PIN for this new SIM for security reasons”. Schutz admits that when he went to Google’s offices to prove the hack, no one had a proper SIM ejector, so they first tried a needle, which Schutz managed to stab himself with, before he managed to get a false earring. We suspect that puncturing the needle in the point first didn’t work (it’s hard to hit the ejector pin with a small point) so he decided to risk using it pointing outward with “extreme caution”, thus turning the hacking attempt into a character hack. (We’ve been there, done it, and pricked ourselves with fingertips.)

System tampering with a new SIM

Since the attacker knows both the PIN and PUK code of the new SIM, they can deliberately misunderstand the PIN three times and then immediately obtain the correct PUK code, thus deliberately forcing the lock screen state machine into the insecure state that Schutz accidentally discovered it.

With the right timing, Schutz found that he could not only land on the fingerprint unlock page when it wasn’t supposed to show up, but also trick the phone into accepting successful PUK unlock as a signal to reject the fingerprint screen. And “verify” the entire unlocking process As if he wrote the entire phone lock code.

Open bypass!

Unfortunately, much of Schutz’s article describes the length of time it took Google to respond to this vulnerability and to fix it, even after the company’s engineers decided that the bug was indeed reproducible and exploitable.

As Schutz himself said:

This was the most impactful vulnerability I’ve found so far, and it just crossed the line for me as I really started worrying about the fix schedule and even about keeping it as a “secret” to myself. I may be overreacting, but I mean not too long ago that the FBI was fighting with Apple for pretty much the same thing.

Disclosure delay

Given Google’s stance on bug disclosure, its Project Zero team is notoriously firm about the need to set strict disclosure times and stick to ityou would probably expect the company to adhere to the 90-day plus 14-plus rules in special cases.

But according to Schutz, Google could not manage it in this case.

Apparently, he agreed to a date in October 2022 by which he plans to disclose the bug publicly, as he has now, which appears to be plenty of time for a bug he discovered back in June 2022.

But Google missed the deadline in October.

The bug patch, specific error number CVE-2022-20465, finally appeared in the November 2022 Android Security Patches, dated 11-05-2022, with Google Describing the fix as such: “Do not ignore the keyguard after unlocking the PUK code for the SIM card.”

Technically, the error was what is known as race condition-Where is the part of the OS that was watching the PUK entry process to track “Is it safe to open a SIM now?” It ended up issuing a success signal that overtook the code that was simultaneously tracking “Is it safe to unlock the entire device?”

However, Schutz is now much richer thanks to Google Rewards for errors (his report states that he had hoped for $100,000, but had to settle for $70,000 in the end).

He belatedly disclosed the error after the October 15, 2022 deadline, and accepted that appreciation is sometimes the best part of courage, saying:

I [was] Too afraid to actually take out the direct error, and since the fix was less than a month away, it wasn’t worth it anyway. I decided to wait for the repair.

What do I do?

Check your Android device is up to date: Settings > protection > Security update > Check updates.

Note that when we visited Security update Screen, after you haven’t used our Pixel phone for a while, Android boldly announced Your system is up to datewhich indicates that it was automatically verified a minute or so ago, but still tells us we were on October 5, 2022 Security update.

We were forced to do a new update check manually and were notified of this immediately Preparing a system update…followed by a short download, a long introductory phase, and then a reboot request.

After rebooting we got to November 5, 2022 correction level.

Then we came back and did another one Check updates To confirm that there are no pending fixes.


We were Settings > protection > Security update To get to the force download page:


The reported date looked wrong, so Android forced us to Check updates In any case:


There was already an update to install:


Instead of waiting we used to CV To follow up immediately:


A lengthy update followed:


We did another one Check updates To confirm we are there:


#Bypass #Dangerous #Screen #Lock #SIM #Card #Swap #Update #Android #Naked #Security

Leave a Comment

Your email address will not be published. Required fields are marked *