A security researcher accidentally stumbled onto a Google Pixel lock-screen bypass problem. Hacking Google Pixel screen locks nets the researcher $70,000.

David Schütz found the flaw, which allowed an attacker to unlock any Google Pixel phone without having the passcode. With a November update, Google resolved the problem (recorded as CVE-2022-20465), enabling Schütz to share his research.

A potential hacker now has a way to get around lock-screen security measures like fingerprint or PIN verification and gain physical access to a target device thanks to the weakness. By following a set of steps, the hack could be executed with little technical know-how against a variety of mobile Android devices.

Fortunately, the vulnerability would not be suitable for remote exploitation.

Serendipity strikes

According to a blog post, Schütz unintentionally ran into the problem when he lost the PUK code for his Pixel phone and used it to recover access. He successfully finished the procedure, however, the lock screen he was shown had some strange features.

The fingerprint icon was visible instead of the typical lock icon because the boot was new, Schütz recalled. Since you must enter the lock screen PIN or password at least once after a reboot to decrypt the device. It shouldn’t have accepted my finger.

The gadget crashed after accepting his finger and displayed an odd “Pixel is starting…” message. Schütz fixed it by performing a hard reboot.

Schütz made the decision to look into the matter during the following days. On one instance, he didn’t restart the phone; instead, he started from the device’s default unlocked state, locked it, and hot-swapped the SIM tray before performing the SIM PIN reset procedure.

Schütz was shown his unlocked home screen after going through this process. Then choose a new PIN, and entered the PUK code.

On the fully patched Pixel 6, the researcher realized he had completely bypassed the lock screen. On a Pixel 5, the same trick was effective.

Easy exploitation

Schütz understood that anyone could use the hack, including spies, criminals, and envious partners.

“Since the attacker just needed to carry his or her own PIN-locked SIM card, physical access was all that was needed for exploitation. The exploit could be used with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code by simply swapping the SIM in the victim’s device.

Patch puzzlement

Google quickly processed and filed the bug once Schütz reported the problem, but the solution took much longer.

After starting with Schütz the issue was duplication and so not typically eligible for a bug reward. Google stalled for a few weeks until responding to persistent requests from Schütz. And a demonstration of the attack to Google employees at an event for bug hunters called ESCAL8 in September.

Shortly after, Google announced that, despite the fact that Schütz’s report was a duplicate, it had only begun developing a fix resulting in submission. As a result, the company decided to award him a $70,000 bounty for hacking google pixel screen locks bypass.

On November 5, the fault was repaired, enabling Schütz to publish his results and a video illustrating the flaw.

The researcher surmised that Android security panels can be piled “on top” of one another via code modifications.

When the SIM PUK was successfully reset, the “A.dismiss() function was called by the PUK resetting component on the security screen stack. Causing the device to dismiss the current security screen and show the security screen that was ‘under’ it in the stack,” he said.

The PUK resetting component could dismiss an unrelated security screen, changed by a background process. Because “the.dismiss() function simply dismissed the current security screen, it was vulnerable to race conditions.”

Google modified the code so that it specifically refers to the kind of security screen that should be ignored.