A Simple Android Lock Screen Bypass Bug Landed a Researcher $70,000

Google has paid out $70,000 to a security researcher for privately reporting an "accidental" security bug that allowed anyone to unlock Google Pixel phones without knowing its passcode. From a report: The lock screen bypass bug, tracked as CVE-2022-20465, is described as a local escalation of privilege bug because it allows someone, with the device in their hand, to access the device's data without having to enter the lock screen's passcode. Hungary-based researcher David Schutz said the bug was remarkably simple to exploit but took Google about five months to fix.

Schutz discovered anyone with physical access to a Google Pixel phone could swap in their own SIM card and enter its preset recovery code to bypass the Android's operating system's lock screen protections. In a blog post about the bug, published now that the bug is fixed, Schutz described how he found the bug accidentally, and reported it to Google's Android team.

Good way of monitoring backdoors

[BardBollocks]

..is to have someone claim money when they get discovered.

Re:

[Bearhouse]

I think it means to say "we have this secret exploit that we share with the TLAs etc. and we'll know when it becomes useless (public) when someone collects the bounty" /tinfoilhat

What other devices might this work on?

[Team Rocket Elite]

Is there a way to know what other Android devices this might work on? I have a friend who got locked out of their phone (LG Premier Pro (Model LML414DL)) and this sounds like something that might let them break into their own phone.

Re:

[Anonymous Coward]

^^ found the cop!

Bounties for serious bugs should be

[hdyoung]

10 times that. The effect on Google’s bottom line wouldnt even show up as pocket change, and they might actually make progress on security.

It’s almost like they are carefully managing the pace of bug reporting and they don’t really want outside help all THAT much. I suspect these bounty programs are mostly for PR purposes.

Re:Bounties for serious bugs should be

[Petersko]

The point of bounties is to bribe discoverers, not to punish Google. How significant it is to Google isn't important. And why should it be?

In fact, insignificance to the bottom line keeps the program running. That's a good thing.

Did it actually take Google 5 months to fix it...

[ffkom]

... or were those 5 months just the period Google was paid for (>>70k) by unofficial customers who are interested in compromising devices?
Given how much money governments and agencies of all kinds spend on zero-day exploits, it seems like a good investment to pay significant bug-bounties as long as those payments keep your exploits valuable.

Backdoor

[bill_mcgonigle]

Thanks, David, for exposing an "accidental" backdoor and forcing it to be closed.

It would be great to see the diff on this one.

Re:Backdoor

[arosenfield]

12 changed files with 102 additions and 26 deletions. [github.com]

No longer need Pegasus on older androids?

[schwit1]

I had a Nexus 6 up until a year ago. It is a tank but wasn't patched since 2017. I'm assuming it would have been vulnerable.

They don't take security seriously

[RemindMeLater]

Sorry, for all the marketing hype about Titan Chip this or whatever, this is such an obvious workaround that I refuse to believe an intelligent security researcher with intimate knowledge of the workings of the OS couldn't have thought of this. And supposedly Google employs lots of them. It's right up there with Apple phones getting hacked by sending a single message. Really? Such a simple fucking protocol and you didn't think to proactively sanitize and bounds check everything in advance before careless

Re:

[Arethan]

Such a simple fucking protocol and you didn't think to proactively sanitize and bounds check everything in advance before carelessly tossing it back to privileged libraries to choke on?

1. It's less simple that you suggest.
2. Never trust data that you don't directly control. Ever. Even (and perhaps especially) when it comes from other code within your very own company.

So, you're not wrong, but you're being an ass.

Re:

[RemindMeLater]

when one security researcher can uncover a half dozen vulnerabilities it's clear your half-trillion dollar company isn't paying much more than cursory interest in security. https://www.wired.com/story/im... [wired.com]

Lest you forget, there are real-world implications for this carelessness. Authoritarian governments count on lax security so they can figure out who to jail and torture.

Re:

[DarkOx]

Myopia is a big problem with security testing in general.

The industry loves black box testing because its cheaper (does not require nearly as many hours). Its lower risk you are not passing out your secret sauce to as many third parties. Finally cynically it finds fewer problems.

If you hand someone a device like a locked phone and say "see what you can do get into this, without resorting to anything destructive, you have two weeks" are they going to go and get a bunch of activated SIMs and swapping things a

This bug couldn't affect me

[Tony Isaac]

I never set a password on my lock screen!

Perhaps I misunderstood.

[ElizabethGreene]

I thought that the device was encrypted and entering the PIN provided the secret required for decryption. e.g. The SIM PIN shouldn't be enough information to decrypt the storage. Is that not how this is supposed to work on mobile devices?

Re: Perhaps I misunderstood.

[gnasher719]

On iOS devices, you have a 256 bit code inside the cpu that cannot be read, a 256 bit code stored permanently (this doesnâ(TM)t provide more security but provides instant wipe), and your passcode. Most data and software is encrypted using all three inputs.

Some things donâ(TM)t need the passcode. Obviously the software allowing you to enter the passcode. Making emergency calls. Taking photos. Alarm clock ringing. Itâ(TM)s up to the developer to decide whether their software or stored data n

eSIM

[Wease2156]

Among the advantages of using the eSIM card https://esimanywhere.com/ [esimanywhere.com] in a cell phone is the availability of the network, a system that consists in requesting a connection by simply calling the telephone operator without having to buy a SIM card. This is advantageous for people who constantly travel from one country to another.