Security researcher David Schütz has discovered a vulnerability in Android that allows unlocking a PIN- or fingerprint-protected phone using a SIM card’s PUK code. The vulnerability has since been fixed by Google.

Anyway, the vulnerability worked for the Pixel 6, Pixel 5 and possibly other smartphones as well. Schutz says. The vulnerability worked by removing the SIM card from the phone and reinserting it, prompting the user to enter the SIM card’s PIN. The attacker then enters the PIN incorrectly three times on purpose, prompting the user to enter the PUK code.

When this PUK code is entered correctly, the phone unlocks immediately. So even if a fingerprint or PIN code is set. For the vulnerability, the attacker must have access to the phone and also know the PUK code of the SIM card. An attacker can achieve the latter by inserting a SIM card with a PUK code known.

The CVE-2022-20465The vulnerability worked according to the CVE list in Android versions 10 through 13 and was in KeyguardHostViewController.javafile and related files. because of Error in this file After the PUK code was entered correctly, the operating system shut down all other security screens, so that in practice the operating system saw the correct PUK code as a correctly entered PIN or fingerprint. The bug is not on all phones: Tweakers tested the vulnerability on a Galaxy A51 that has not yet been updated, and entering a PUK code did not unlock this phone.

Schutz contacted Google in June, but the bug wasn’t fixed until November. The security researcher says the connection was difficult, and Google only took it seriously when he was able to show the bug to a number of Google employees in the bug bounty fair. Schütz received a $70,000 bounty for reporting the vulnerability, as an exception. He wasn’t the first researcher to report the bug, but because he called over and over again, he still got the reward.