A major exploit in Google Pixel smartphones has just been revealed, allowing an attacker to unlock and access your smartphone by switching out the SIM card.

Google Pixel 6 Pro

The issue has been discovered by David Schütz (CVE-2022-20465) who says an “attacker with physical access [can] bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device.” The issue has been fixed in the November security patch for Pixel devices. Read below to find out how the exploit works.

We can see a locked smartphone with biometrics deactivated after numerous unsuccessful attempts in the demonstration video above. After changing the SIM, you will be prompted to “Enter SIM PIN.” After three incorrect PIN attempts, users are prompted to enter the PUK code, which you should know because it’s your SIM card.

When you enter a new PIN number for that SIM card after successfully entering the previous one, the phone will unlock to your home screen and give you full access.

Schütz explains that since the attacker could just bring his/her own PIN-locked SIM card, nothing other than physical access was required for exploitation. The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.

Google did not address the Pixel lockscreen issue until September after Schütz reported the unlock bug to Android’s Vulnerability Rewards Program in the middle of this year (after some in-person prompting). A $70,000 reward was given for solving it, and it is classified as a “System” issue with “High” severity in the November security patch. The fix has been rolled out to Android 10, 11, 12, 12L, and 13 AOSP versions. The November security patch is currently available for the Pixel 4a and newer. So if you have a Pixel device with this patch available, we advise you to update ASAP.

RELATED:

(Via: 9to5Google)

RELATED ARTICLESMORE FROM AUTHOR