Google Pixel device owners may want to download and install the November 2022 security patches for their devices as soon as possible. Google fixed a serious security issue that allows the bypassing of the lock screen of the device.
The attack requires access to the Google Pixel device, but nothing besides that. Successful exploitation of the issue gives the attacker full access of the device, bypassing any lock screen protection that may be in place.
Security researcher David Schütz discovered the vulnerability by accident and reported it to Google after verification on his end. According to Schütz, it took Google several months to patch the issue and release a security update for supported Android devices.
The Google Pixel lock screen bypass explained
Schütz explains that he discovered the issue by accident. His Google Pixel 6 phone shut itself down while traveling. He typed the wrong PIN several times after connecting the device to a charger; this led to the device asking for the PUK to be entered.
After entering the PUK, the device asked Schütz to enter a new PIN to protect the device. Schütz noticed then that the device was not asking for the lock screen PIN, but that he could sign-in using fingerprint protection. That should not happen at this stage, as it was a fresh boot.
He investigated the issue in depth, putting the device into the PUK state multiple times. One time, he decided to hot-swap the SIM card and do the PIN reset process using the PUK of the other SIM card. This worked and to Schütz’s surprise, bypassed the lock screen protection of the device and loaded the home screen.
In other words: Schütz discovered a lock screen bypass that worked on Pixel devices. It requires physical access and a second SIM card that is in PIN locked state. The same issue affected the researcher’s Pixel 5 device.
Schütz did not test the issue on other devices. He suggests that devices off other manufacturers may be affected by the security issue as well.
Google awarded Schütz a bug bounty of $70,000 for discovering and reporting the issue. It is important to realize that older Pixel devices may be affected by the issue. Security updates are not released for devices that are out of support. As a result, some devices that may be vulnerable may never be patched.
You may check Google’s support page, which details for how long Pixel devices are supported with updates by the company.
Google Pixel’s November security patches fix the issue
Google releases security updates for Pixel devices once per month. Pixel owners may check the installed Android version in the following way:
- Open the Settings application on the Pixel device.
- Go to About Phone > Android version.
There, you find listed the Android version, Android security update, and the build number.
Do the following to check for Android updates:
- Open the Settings application on the Pixel device.
- Go to System > System update.
The page that opens displays the update status. Follow the steps outlined on the page to download and install the latest security update for the Pixel device.
Devices that can’t be updated may be vulnerable to the security issue. While there is no option to mitigate the issue fully, Android users may turn off the device before leaving it unattended for better protection against the issue.
All things considered, Google Pixel users may want to update their devices as soon as possible. A full lock screen bypass gives attackers full access to the device; this includes access to photos and videos, messages, applications, security apps, the browsing history and much more.
