Security expert David Schütz recently discovered a very worrying vulnerability in his Google Pixel. At stake is a mechanism that allows you to bypass any security system applied to the smartphone’s lock screen.
With a simple change of the device’s SIM card, it was possible to bypass fingerprint authentication on your Pixel. Fortunately, this vulnerability has been fixed by Google in the November security update.
Changing the SIM card was enough to control a Google Pixel
The discovery happened by chance when David Schütz forgot the PIN code for his card. After entering the respective PUK and resetting his PIN, he noticed that the smartphone automatically joined the desktop without any authentication.
The video above is pretty illustrative of the problem here. In short, it is enough to make three mistakes in the PIN code of the card, enter your PUK and choose a new PIN to have full access to the smartphone.
The security expert managed to replicate this phenomenon on his Google Pixel 6, as well as on a copy of the Pixel 5. This shows that the problem does not only refer to one model, but is linked to the operating system itself.
Given these conclusions, David Schütz reported the bug directly to Google to correct it. However, this fix is part of the new patch Security release from November, so only now have I shared this information publicly.
The vulnerability presented here has been classified by Google as CVE-2022-20465🇧🇷 The same can be found in the November security update notes, which means that all smartphones with this patch installed are protected.
This vulnerability could be problematic if hackers or thieves become aware of it before it is fixed. After all, they just have to bring their own SIM card to be able to control any illegitimately obtained copies of Google Pixel.
Google later admitted that it only became aware of the problem thanks to the report filed by David Schütz. Indeed, the American company awarded this security expert 70 thousand dollars for his important discovery.