A Simple Android Lock Screen Bypass Bug Landed a Researcher $70,000 (techcrunch.com) 20
Google has paid out $70,000 to a security researcher for privately reporting an "accidental" security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. From a report: The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device's data without having to enter the lock screen's passcode. Hungary-based researcher David Schutz said the bug was remarkably simple to exploit but took Google about five months to fix.
Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.
Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.
Good way of monitoring backdoors (Score:3, Insightful)
..is to have someone claim money when they get discovered.
Re: (Score:3)
I think it means to say "we have this secret exploit that we share with the TLAs etc. and we'll know when it becomes useless (public) when someone collects the bounty" /tinfoilhat
What other devices might this work on? (Score:2)
Re: (Score:2, Insightful)
^^ found the cop!
Bounties for serious bugs should be (Score:4, Interesting)
It’s almost like they are carefully managing the pace of bug reporting and they don’t really want outside help all THAT much. I suspect these bounty programs are mostly for PR purposes.
Re:Bounties for serious bugs should be (Score:4, Insightful)
The point of bounties is to bribe discoverers, not to punish Google. How significant it is to Google isn't important. And why should it be?
In fact, insignificance to the bottom line keeps the program running. That's a good thing.
Did it actually take Google 5 months to fix it... (Score:2, Troll)
Given how much money governments and agencies of all kinds spend on zero-day exploits, it seems like a good investment to pay significant bug-bounties as long as those payments keep your exploits valuable.
Backdoor (Score:3)
Thanks, David, for exposing an "accidental" backdoor and forcing it to be closed.
It would be great to see the diff on this one.
Re:Backdoor (Score:5, Informative)
12 changed files with 102 additions and 26 deletions. [github.com]
No longer need Pegasus on older androids? (Score:2)
I had a Nexus 6 up until a year ago. It is a tank but wasn't patched since 2017. I'm assuming it would have been vulnerable.
They don't take security seriously (Score:1)
Re: (Score:2, Insightful)
Such a simple fucking protocol and you didn't think to proactively sanitize and bounds check everything in advance before carelessly tossing it back to privileged libraries to choke on?
1. It's less simple that you suggest.
2. Never trust data that you don't directly control. Ever. Even (and perhaps especially) when it comes from other code within your very own company.
So, you're not wrong, but you're being an ass.
Re: (Score:2)
Lest you forget, there are real-world implications for this carelessness. Authoritarian governments count on lax security so they can figure out who to jail and torture.
Re: (Score:2)
Myopia is a big problem with security testing in general.
The industry loves black box testing because its cheaper (does not require nearly as many hours). Its lower risk you are not passing out your secret sauce to as many third parties. Finally cynically it finds fewer problems.
If you hand someone a device like a locked phone and say "see what you can do get into this, without resorting to anything destructive, you have two weeks" are they going to go and get a bunch of activated SIMs and swapping things a
This bug couldn't affect me (Score:2, Offtopic)
I never set a password on my lock screen!
Perhaps I misunderstood. (Score:4, Interesting)
I thought that the device was encrypted and entering the PIN provided the secret required for decryption. e.g. The SIM PIN shouldn't be enough information to decrypt the storage. Is that not how this is supposed to work on mobile devices?
Re: Perhaps I misunderstood. (Score:3)
Some things donâ(TM)t need the passcode. Obviously the software allowing you to enter the passcode. Making emergency calls. Taking photos. Alarm clock ringing. Itâ(TM)s up to the developer to decide whether their software or stored data n
eSIM (Score:1)