CVE-2022-20465: Google Pixel lock screen bypass might affect Android vendors

CVE-2022-20465

Google has started rolling out this month’s security updates for its mobile operating system platform to address over 40 vulnerabilities affecting Android devices, including multiple high-severity escalations of privilege bugs.

The vulnerabilities affect various Android components, including the Android operating system, framework, library, and media framework, as well as Qualcomm components, including closed-source components.

The ‘2022-11-01 patch level’ fixed 12 bugs that lead to the escalation of privilege (EoP). Among them, CVE-2022-20465 is a noteworthy security vulnerability. This bug affects all Pixel smartphones that could be exploited to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device. Security researcher David Schütz was credited for the security flaw and awarded $70,000 for it.

The bug exists in functions of KeyguardHostViewController.java and related files. The attacker possibly lockscreen bypass due to a logic error in the code.

Steps to reproduce:

  1. Lock the device
  2. Remove the SIM tray and insert a SIM card which has a PIN code set up
  3. Enter the SIM code incorrectly 3 times to disable the SIM card and make it require a PUK code
  4. Enter the valid PUK code for the SIM card and follow the instructions to set a new PIN code
  5. See that the device is now unlocked

After PUK unlock, multiple calls to KeyguardSecurityContainerController#dismiss() were being called from the KeyguardSimPukViewController, which begins the transition to the next security screen, if any. At the same time, other parts of the system, also listening to SIM events, recognize the PUK unlock and call KeyguardSecurityContainer#showSecurityScreen, which updates which security method comes next. After boot, this should be one of PIN, Password, or Pattern, assuming they have a security method. If one of the first dismiss() calls comes AFTER the security method changes, this is incorrectly recognized by the code as a successful PIN/pattern/password unlock. This causes the keyguard to be marked as done, causing screen flickers and an incorrect system state.

The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,wrote in a write-up of the CVE-2022-20465 flaw.

Users are strongly recommended to download the most recent Android security updates as soon as they are available in order to keep their Android devices protected against any potential attack.