Cybersecurity researcher David Schütz accidentally found a way to bypass the lock screen on his fully patched Google Pixel 6 and Pixel 5 smartphones, allowing anyone with physical access to the device to unlock it.

Exploiting the vulnerability to bypass the lock screen on Android phones is a simple five-step process that wouldn’t take more than a few minutes.

Google fixed the security issue on the latest Android update released last week, but it remained available for exploitation for at least six months.

Accidental discovery

Schütz says he discovered the flaw by accident after his Pixel 6 ran out of battery, entered his PIN three times, and retrieved the locked SIM card using the PUK (Personal Unblocking Key) code.

To his surprise, after unlocking the SIM card and selecting a new PIN, the device did not ask for the lock screen password, only a fingerprint scan.

Android devices always ask for a password or lock screen pattern when rebooting for security reasons, so jumping directly to fingerprint unlock was not normal.

The researcher continued to experiment, and when he tried to reproduce the flaw without rebooting the device and from an unlocked state, he thought it was also possible to bypass the fingerprint prompt, by going directly to the home screen.

The impact of this security vulnerability is quite broad, affecting all devices running Android versions 10, 11, 12, and 13 that have not been updated to the November 2022 Patch level.

Physical access to a device is an important prerequisite. However, the flaw still has serious consequences for people with violent spouses, those under police investigation, owners of stolen devices, and more.

The attacker can simply use their own SIM card on the target device, disable biometric authentication (if locked), enter the wrong PIN three times, provide the PUK number and gain access to the victim’s device without restriction.

Google’s patches

The issue is caused by the keyguard being incorrectly rejected after a SIM PUK unlock due to a conflict in rejection calls affecting the stack of security screens that run below the dialog.

When Schütz entered the correct PUK number, a “dismiss” function was called twice, once by a background component that monitors the status of the SIM card and once by the PUK component.

This caused not only the PUK security screen to be removed, but also the next security screen in the stack, which is the keyguard, followed by the next screen that was queued in the battery.

If there is no other security screen, the user goes directly to the home screen.

Schütz reported the flaw to Google in June 2022, and although the tech giant acknowledged receipt and assigned a CVE ID of CVE-2022-20465, they didn’t release a patch until November 7, 2022.

Google’s solution is to include a new parameter for the security method used in each “dismiss” call so that calls dismiss specific types of security screens and not just the next one in the stack.

In the end, although Schütz’s report was a duplicate, Google made an exception and awarded the researcher $70,000 for his discovery.

Android 10, 11, 12, and 13 users can fix this flaw by applying the November 7, 2022 security update.