Photo: Fandistico (Shutterstock)
Your phone’s lock screen is supposed to be a safeguard against the world (and accidental unlocks in your pocket). When it’s locked, your phone can’t be opened without either the passcode, a face scan, or a fingerprint. If you lose your phone or someone snatches it from you, you can rest assured they won’t be able to do anything with it. Except right now they can, thanks to a recently discovered vulnerability allowing anyone to bypass an Android device’s lock screen.
As reported by Bleeping Computer, cybersecurity researcher David Schütz discovered a way to unlock both a Google Pixel 6 and Pixel 5 without needing to know the passcode. It happened after his Pixel 6 ran out of charge, and after he incorrectly entered his PIN wrong three times. His SIM card was then locked, so he entered the PUK (Personal Unblocking Key) to restore it.
However, once the SIM was recovered, the Pixel asked him to scan his fingerprint. That shouldn’t happen, since Pixels (as well as most phones) require you to enter the passcode in order to unlock after a reboot. You shouldn’t have the option to use your fingerprint to unlock the phone until after one successful unlock with the passcode.
From there, Schütz realized there was a legitimate security flaw here. If an attacker inserts their own SIM into a target’s Android, then enters the wrong SIM PIN three times, they can enter their SIM’s PUK to be able to create a new SIM PIN. Once they do, they bypass the lock screen entirely and access the phone. You can watch the hypothetical attack play out in the video below:
Pixel 6 Full Lockscreen Bypass POC
Schütz brought this flaw to Google’s attention back in June of this year, but it took the company five months to finally push a patch. Still, it’s good there is a patch: It’s not clear how long this vulnerability was actually floating around, potentially putting millions of Androids in jeopardy.
G/O Media may get a commission
How to fix the latest lock screen security flaw on Android
If you have a phone running Android 10, 11, 12, or 13, you need to install the November 2022 security update in order to patch this vulnerability. If you already installed the patch, you’re good to go! But otherwise, install it ASAP.
To install a security patch on Android, head to Settings > System > System Update, then allow the OS to look for a new update. If there’s one available, you can download and install it from here. You can also check for security updates from Settings > Security > Google Security checkup.