Buzz
Google advises users of Android devices, particularly Pixel users, to update to the latest OS version to fix issues.
David Schütz, a security expert, stumbled upon the revelation that swapping SIMs could bypass Google phone's unlock password. This loophole allows malicious actors to utilize an alternative SIM and execute 5 straightforward steps to unlock various phone models within minutes.
Schütz reported this flaw to Google since June but it was only rectified on the 7th of November. To thwart unauthorized access to devices, this security expert also suggests Android users to apply the latest patch for their devices.
Schütz discovered this glitch while using a Pixel 6. After his phone depleted its battery, upon rebooting the device, users were prompted to enter the SIM PIN. As he couldn't recall and made 3 incorrect attempts, his SIM got locked, demanding a PUK code for unlocking.
He followed suit and altered the SIM PIN to unlock the subscription. Nonetheless, subsequent to unlocking the SIM, the Pixel 6 merely prompted him to use his fingerprint for device access - a scenario that ideally shouldn't occur. Furthermore, the researcher even unearthed that the device didn't prompt for a fingerprint but allowed users to directly access the home screen solely with the SIM unlock code.
This loophole will have significant impacts in scenarios such as stolen devices or law enforcement agencies investigating crimes.
All Android devices running versions 10, 11, 12, and 13 that have not updated to the November patch are affected by this vulnerability, according to Google's announcement.
To exploit this vulnerability, perpetrators only need to use a SIM card with their pre-existing PUK code, intentionally locking the SIM by entering incorrect fingerprints and PINs multiple times, then entering the PUK code to unlock the SIM and gain unrestricted access to the device.
In early November, Google disclosed this vulnerability under the CVE-2022-20465 code name. Schütz was rewarded $70,000 for his reports. Google recommends users of Android devices, especially Pixel owners, to update to the latest OS version to fix the issue.
(Reference QTM)
