As it turned out later, in the last half year or so, it was essentially child’s play to circumvent any line of defense of Android devices, be it biometric identification combined with SIM-PIN or any protection that can be used to lock the device. To the problem, security expert and quasi-ethical hacker, David Schütz he found out completely by accident when he entered his PIN incorrectly several times.
Schütz reported the bug to Google on the appropriate official platform in June, but the fix had to wait until the November security package. Based on the presentation of the case, you had to macerate Google quite a lot before they started to deal with the problem in a meaningful way, but in the end they just eliminated the vulnerability with the November patch.
Schütz discovered the issue on a Pixel 6 model and then reproduced it with his earlier Pixel 5 device, but since the bug is in the AOSP code, devices from other manufacturers were also affected, with It runs Android 10, Android 11, Android 12, Android 12L and Android 13.
In order to unlock the device, you must first have physical access to the device, so this is not a trick that can be solved by remote access. In a locked but not switched off state, the SIM card must be replaced with one on which the PIN code protection is active and the PUK code is known. Enter the PIN code of the new card incorrectly three times, then it will lock and ask for the PUK code. The correct PUK code unlocks the SIM and takes you straight to the main screen without any additional security steps. It probably works the same way with an eSIM. It’s frighteningly simple. Volt. Because this method is no longer an option.
In such scenarios, SMS or call-based two-step identification comes in handy, since the confirmation code for our accounts and individual transactions will still be sent to our own mobile number, as well as the biometric or additional approval solutions set up within the applications (banking applications, Google Play purchases, etc.), but our data available without them (social accounts, documents, photos, notes, etc.) will still be compromised, and the stolen device can now be restored to factory condition and used or sold as new.
Schütz at the Google ESCAL8 bug hunting event in London. (source: bugs.xdavidhu.me) [+]
Based on Android and Google’s Device Security reward program, unlocking the device is worth 100,000 dollars (approximately HUF 40 million). The reward is for lock screen bypass software solutions that affect multiple or all devices. Spoofing attacks using synthetic biometrics (fake masks, fingerprints, etc.) are not eligible for rewards.
Since this vulnerability had already been reported to Schütz on the basis of Google’s database, the European security specialist living in Szeged was not entitled to the reward for discovering and reporting the error, but thanks to his intervention and persistence, Google started to deal with the problem at all, so 70 thousand his efforts to improve the security of the system were rewarded with dollars.