Complete Lock Screen Bypass on Google Pixel devices

Summary:

Screen on all Pixel phones (tested with Pixel 6 & 5) will unlock after a SIM PIN is reset using a PUK code.

Impact:

It is possible to completely bypass the lock screen on (seemingly) all Pixel phones if an attacker has physical access to the device.

Steps to reproduce:

1. Lock the device
2. Remove the SIM tray and insert a SIM card which has a PIN code set up
3. Enter the SIM code incorrectly 3 times to disable the SIM card and make it require a PUK code
4. Enter the valid PUK code for the SIM card and follow the instructions to set a new PIN code
5. See that the device is now unlocked

POC video:

The POC video was created later and was not sent to Google.

References:

• CVE: CVE-2022-20465
• Accompanying blog post: Accidental $70k Google Pixel Lock Screen Bypass
• Fix commit in AOSP: ecbed81 - Do not dismiss keyguard after SIM PUK unlock
• Android Security Bulletin: Android Security Bulletin - November 2022

---

Discussion:

Vendor - 2022-06-13 (T+ 37 minutes)

Thank you for submitting this report. We’ve filed an internal report for the Android engineering team to investigate further (specified by the Android ID label). Please follow coordinated disclosure practices, such as keeping this report confidential until we have had time to assess your issue, and if necessary, release an update for Android devices.

PLEASE TAKE THE FOLLOWING ACTIONS NOW, if you have not already:

1. Sign the Google Contributor License Agreement (1).
2. In a comment below, let us know how you would like to be acknowledged (2) for discovering this potential vulnerability (including company affiliation, if any).
3. Provide a PoC that reproduces against a recent Android build (not more than 30 days old).

The typical lifecycle for a confirmed security vulnerability is as follows:

1. Initial severity rating assessment (subject to change after review by component owners) (3)
2. Development of an update
3. Assignment of CVE
4. Shared under NDA, as part of coordinated disclosure, to Android partners for remediation
5. Release in a public Android security bulletin
6. Android Security Rewards payment (if applicable)

Most of these steps will typically be communicated in the sidebar. Please note that we may not reply to requests for status updates or information, however we will continue our typical assessment and remediation efforts. This issue will be updated with information once the reported issue is publicly fixed, if not prior.

Thank you, Android Security Team

(1) Contributor license agreement: https://cla.developers.google.com/clas
(2) Android Security Acknowledgements: https://source.android.com/security/overview/acknowledgements
(3) Android severity guidelines: https://source.android.com/security/overview/updates-resources.html \

---

Me - 2022-07-01 (T+ 18 days)

Hi,

As instructed by the above comment, here is how I’d like to be acknowledged for this potential vulnerability:
“David Schütz (@xdavidhu)”

I have also signed the Contributor License Agreement.

Thank you,
David

---

Vendor - 2022-07-05 (T+ 22 days)

David,

Thank you for updating your acknowledgement information.

Best,
Android Security Team

---

Vendor - 2022-07-14 (T+ 31 days)

Hello David,

The Android Security Team believes that this is a duplicate of an issue previously reported by another external researcher.
The duplicate issue is being tracked by the Android ID reflected in the status of this ticket.

Thank you,
Android Security Team

---

Me - 2022-08-11 (T+ 59 days)

Hey,

What is the status of this bug?
When will a fix be rolled out?

Thank you,
David

---

Vendor - 2022-08-11 (T+ 59 days)

Hello David,

We are still working on the initial report we received for this issue. Once fixed it will be released in an Android Security Bulletin at that time.

Thank you,
Android Security Team

---

Me - 2022-09-09 (T+ 88 days)

Hey,

I was able to reproduce this issue on the latest September 5, 2022 security patch.
It has been almost 4 months since I reported this issue and considering the impact, this feels too long of a delay.

Can you let me know the ETA of the fix? I’d like to disclose this issue.

Thank you,
David

---

Me - 2022-09-10 (T+ 89 days)

Hey,

I’m planning to publicly disclose this issue on October 15, 2022.

Thank you,
David

---

Vendor - 2022-09-15 (T+ 94 days)

Hello,

Thank you for checking in on this report. At this time we are still actively working on the remediation for the original report submitted and targeting an October release. In regards to your desire to disclose this issue, while we do not grant or deny permission to disclose issues, we would appreciate you keeping us informed of any specific disclosure plans you may have. We would also appreciate the opportunity to review in advance any materials you plan to publish.

Sincerely,
Android Security Team

---

Vendor - 2022-09-16 (T+ 95 days)

Hello!

A quick introduction; my name is [redacted] and I am [redacted] here at Google.

After talking with our release team, we are unfortunately unable to get this fix into the October or November release as they have already been built and are currently targeting the December release.

I apologize for the delay and any confusion, we really appreciate your patience while we work to get this fixed!

In your last comment you mentioned you plan to disclose this issue on October 15th 2022. Google does not grant or deny permission to go public, but I would love to continue working with you on a coordinated vulnerability disclosure if this is something you are open to.

Again, thank you so much for taking the time to submit this report, I hope you continue finding and reporting issues to our program!

[redacted]
Android Security Team

---

Me - 2022-09-16 (T+ 95 days)

Hi [redacted],

Thank you for reaching out. It is not an easy decision for me to make, but I plan to stick with my original disclosure date which is October 15, 2022.

This is due to multiple reasons, including:

• The impact of the issue
• The delay of the fix
• The fact that the issue is known to 3rd parties (since it’s a duplicate)

I always try to avoid the potential damage of disclosing live bugs, but in the case of this report, I feel like this is the best way forward.

Thank you,
David

---

Vendor - 2022-09-16 (T+ 95 days)

Hi David,

I understand, thank you for keeping us informed of your disclosure plans.

We are working to expedite the release of this fix and will let you know if we have any new information. In the mean time, I would be happy to set up a call with us and one of our engineers to talk about this fix and ways that we might improve our communication on future reports! If this is something you would be open to please let me know some of your availability next week.

Thank you again and have a great weekend,
[redacted]

---

Me - 2022-09-18 (T+ 97 days)

Hi [redacted],

Thank you for this response, I appreciate it.

I’d be happy to do the call that you mentioned. My availability next week is (in UTC+2):

• Monday: any time, except 13:00-14:00
• Tuesday: before 16:00

From Wednesday my availability will be limited.

Does that work for you? Let me know.

Thank you,
David

---

Vendor & Me

talking about possible dates for the call

---

Vendor - 2022-09-20 (T+ 99 days)

Perfect, I’ll set up the call. Thank you - and thank you again for taking the time to meet with us!

[redacted]

---

Vendor - 2022-09-30 (T+ 109 days)

Hello David,

Thank you again for taking the time to talk with us today!

I wanted to share some meeting notes from our call. I kept them pretty high level but please let me know if there is anything else you would like to clarify. After our call we investigated your report in a little more detail, and I am hoping to have some additional information to share with you early next week!

Meeting Notes:

The fix for this issue has been scheduled for the November release under CVE-2022-20465. While unlikely this is subject to change, and we will reach out and let you know if anything changes.
David shared feedback for the Android VRP including ways to increase transparency, send more frequent status updates, use fewer templates (especially for duplicates), and duplicate report process.
Google shared insight around the case duplication process; the report is scored for initial severity but determined to be a duplicate after reviewed by other engineers and feature team. Due to how Android builds and shares fixes with partners, Android Security Teams need several weeks to release a fix to ensure proper testing.
While this issue reproduces in Pixel, the underlying component may still be used by other partners.
David intends to disclose the report (including POC) on October 15th.

As I mentioned during the call, hearing about your experience first hand was tremendously helpful. It gave me a lot of great feedback for how we can improve our program moving forward (i.e. more frequent status updates and more personal communication) and I can’t thank you enough for taking the time. If you have any other questions (about this report or anything else) please do not hesitate to reach me at android-security-rewards@google.com, or my personal email [redacted].

Have a great weekend!

[redacted]
Android Security Team

---

Vendor - 2022-10-12 (T+ 121 days)

Hello David,

Thank you again for taking the time to submit this report and chat with us last week.

After we investigated further, we wanted to share some additional insights we discovered as a result of your report.

The same issue was submitted to our program earlier this year, but we were not able to reproduce the vulnerability. When you submitted your report, we were able to identify and reproduce the issue and began developing a fix.

To ensure Android users are as secure as possible, we worked to release a fix as quickly as possible. As mentioned in our call, we build patches weeks before release to ensure proper testing for Android and our partners. Re-building the October release so late in development would have likely caused a break or delay, putting users at even greater risk. For this reason, the earliest we are able to release a fix for this issue is our November release going out on 11/07/2022.

We typically do not reward duplicate reports; however, because your report resulted in us taking action to fix this issue, we are happy to reward you the full amount of $70,000 USD for this LockScreen Bypass exploit!

Thank you for patience and feedback throughout this process. This was your first report to the Android VRP, but I hope it will not be the last!

If you have any other questions or concerns please don’t hesitate to reach out - you can comment directly on this bug or email me at android-security-rewards@google.com.

Have a great rest of your week,
[redacted]
Android Security Team

---

Me - 2022-10-24 (T+ 133 days)

Hi [redacted],

Thank you for deciding on rewarding this issue and for asking for my feedback. It shows that you do really care about the researcher experience. Definitely makes me (and probably others) more likely to participate in the Android VRP again in the future.

Regarding disclosure, I decided to wait for the November patch to go out. Considering the bigger picture, the ~20 days between my original disclosure deadline and the patch being available didn’t seem to worth publicly disclosing a live bug like this for.

Have a great week,
David

---

Vendor - 2022-10-24 (T+ 133 days)

Hi David,

Sounds great, thank you so much for your work with our program! Please don’t hesitate to reach out if you have any questions or concerns :)