Security14.11.2022

Google patches Android lock screen bypass

Cybersecurity researcher David Schütz unintentionally found a method to bypass the lock screen on Android phones, Bleeping Computer reports.

He tested the bypass on his up-to-date Google Pixel 6 and Pixel 5 smartphones and found that anyone with physical access could get past the lock screen.

Google has fixed the security flaw in its latest Android security patch. However, the vulnerability was available for exploitation for at least six months.

After Schütz’s Pixel 6 handset ran out of battery, he entered the incorrect SIM PIN three times, resulting in the phone prompting him to unlock the SIM card using the Personal Unblocking Key (PUK) code.

He was then able to select a new SIM PIN, and surprisingly, the phone didn’t ask for a lock screen password but rather a fingerprint scan.

After continued experimentation, Schütz found that he could also bypass the fingerprint scan, taking him straight to the device’s home screen.

When an attacker provides an incorrect fingerprint scan three times, Android disables biometric authentication, leaving only the lock code to secure the handset.

They can then remove and re-insert the SIM, which results in the smartphone asking for the SIM’s PIN.

Once entered incorrectly three times, it prompts the user to enter the PUK code again, this time bypassing the fingerprint scanner and taking the attacker directly to the home screen.

According to Bleeping Computer, the impact of the vulnerability is widespread, affecting devices running Android 10 to 13 that haven’t installed the November 2022 update.

Schütz posted a proof-of-concept video on YouTube for the bypass.


Now read: Google Chrome update fixes major security flaws

Show comments

Latest news

More news

Trending news

Poll

Which brand of camera would you consider buying?

View Results

Loading ... Loading ...
Sign up to the MyBroadband newsletter