So recently Google sort of tried to fix the Android vulnerability.
According to reports, a vulnerability affecting “apparently all” Google Pixel phones might have given unauthorized users access to a locked Pixel smartphone.
According to cybersecurity researcher David Schütz, whose bug report prompted Google to act, the flaw was only fixed for the Android phones in question after a November 5, 2022, security update, around six months after he filed his bug report.
The vulnerability, identified as CVE-2022-20465, allows a physical attacker to circumvent lock screen measures such as fingerprint and PIN and get total access to the user’s device.
What is CVE-2022-20465 vulnerability?
The CVE-2022-20465 vulnerability allows anyone with an additional SIM card to bypass the lock screen of a Pixel 5 or Pixel 6 (at least) and unlock these phones. Indeed, it was a full-fledged lock screen bypass that didn’t necessitate the use of any additional gear (other than a conventional SIM card) or extensive hacking expertise.
How this vulnerability is being used?
Anyone with an additional SIM card could have unlocked a Pixel phone simply by hot swapping the card, inputting the incorrect PIN three times, inserting the right PUK, and then entering a new PIN.
So how it works?
This attack is simple and easily replicated, despite the fact that another researcher’s prior bug report indicating the vulnerability was disregarded.
It entailed locking a SIM card three times, re-inserting the SIM tray, resetting the PIN by inputting the SIM card’s PUK code (which should be included with the original packing) and then selecting a new PIN.
What makes it more dangerous?
According to Schütz, no other than physical access was necessary to exploit this vulnerability because the attacker could just bring their own PIN-locked SIM card.
Potential attackers could simply insert such a SIM into the victim’s handset and run the exploit using a SIM card that had a PIN lock and for which the attacker knew the right PUK code.
How this vulnerability is being dealt with?
To Google’s credit, despite the gravity of the attack, Schütz states that after filing a report exposing the vulnerability, Google responded within 37 minutes. However, it took Google workspace’s parent company a while to resolve the issue with Pixel phones.
How has this vulnerability damaged Android?
Despite the lack of evidence, Schütz speculated that additional Android OEMs may have been affected. Because Android is an open-source operating system, this is clearly a possibility the flaw is deeply ingrained in Android OS and the way the operating system handles so-called “security screens,” such as PIN entry screens, password screens, fingerprint screens, and so on.
In certain cases, Samsung’s phones remained unharmed so it demonstrates that they are more secure than Google’s. The credit goes to the Korean tech giant’s own Android skin and proprietary software.
To sum it all up!
It’s not the first time a security researcher has discovered severe security flaws in Android phones. Check Point Research (CPR) discovered a bug in April 2022 that, if left unpatched, may have rendered a significant number of Android phones susceptible to remote code execution owing to vulnerabilities in Qualcomm and MediaTek audio decoders.
