Major Android vulnerability goes unclosed for… almost six months!

One of the most curious and menacing bugs in Android smartphones, and the problems they had closing it.

How long does it take to close serious vulnerabilities?

In the summer of 2022, cybersecurity expert David Schutz was returning home after a long day on the road. His Google Pixel 6 smartphone was running out of juice: by the time David finally got home, it was down to 1%. And as luck would have it, the phone turned off in the middle of messaging. Schutz found his charger and turned the phone back on, but couldn’t carry on texting — he had to enter the SIM PIN code. Worn out after the trip, David entered the wrong PIN three times. This meant entering another secret code — the PUK. Having done that, David was invited to unlock the phone with a fingerprint. But after the fingerprint was recognized, it froze.

After restarting your phone, fingerprint unlocking is not usually an option. An unlock code is required.

After restarting your phone, fingerprint unlocking is not usually an option. An unlock code is required. Source.

Anyone else would probably have put these strange happenings down to software glitches, restarted the phone again, and got on with their life. But David, a researcher with a good nose for weird-behaving software and devices, decided to get to the bottom of why his phone no longer wanted an unlock code after restarting. After several unsuccessful attempts, David realized that a restart in this case is unnecessary. Take a locked smartphone, remove the SIM card, reinsert it, enter a wrong PIN code three times, enter the PUK code… What happens? Turns out you can completely bypass the phone’s lock screen! Schutz detailed the discovery on his blog, but if you assume that Google quickly fixed it, think again. This gaping security hole threatened a huge number of smartphones running Android (versions 11 to 13) for almost half a year — from June to November!

Practical demonstration of bypassing the lock screen using a SIM card.

What?!

In essence, the vulnerability lets someone bypass the lock screen and get access to all data on the phone without knowing the secret code. No sophisticated attack mechanism is required at all. There’s no need to connect any external devices to the smartphone or search for new vulnerabilities in the software. You just take out and reinsert the SIM card (the attacker can use their own), enter a wrong PIN three times, enter the PUK code, change the PIN — and you get access to the phone. The only condition is that the phone must be turned on and have been previously unlocked by the owner at least once.

The vulnerable software is located in the freely distributed part of Android — where anyone can see the source code. That let us find out how such a fairly simple bug could have appeared. In fact, Android smartphones have several lock screens, including the screen for entering a secret code, a prompt to scan your fingerprint, or a window for entering the SIM PIN code. Successfully passing one of the verifications would originally trigger next lock screen to appear, no matter which one. The whole system worked fine, except for the PUK code lock screen. Entering the PUK caused the “dismiss lock screen” function to be called up twice. Instead of showing the fingerprint scan screen, the phone was unlocked. The issue was resolved with some fairly major modifications of the Android code, which resulted in each lock screen being controlled independently.

Bureaucracy versus security

So, why did it take almost six months to eliminate this serious vulnerability? Schutz sent a description of the vulnerability through Google’s bug bounty service. According to the program rules, a discovered vulnerability for bypassing the lock screen on multiple (or even all) devices can earn the researcher up to US$100,000. But instead of cash, David received several weeks of silence, and then… his submission was rejected as a duplicate — someone else already had informed Google about the vulnerability.

David resigned himself to losing out on a well-deserved payout. In the meantime, September came (it was getting on for three months since his report), and he was sure the vulnerability would be fixed in the next set of patches. But no. With the September update installed, his phone still allowed him to bypass the lock using the SIM card trick. Coincidentally, in September there was a Google event for security researchers. There, David personally demonstrated the bug to company developers. That was the lightbulb moment for them at last, and the vulnerability was patched in the November update of Android.

Even if an earlier bug report had existed, Google hadn’t reacted at all. Nor was there any response to David’s message in June 2022. Only a face-to-face with the developers got the vulnerability closed. In the end, Schutz received a US$70,000 payout for his efforts.

The price of security

As smartphone users, we expect at least critical bugs to be prioritized by the developers and closed quickly. This story of the lock screen bypass on Android smartphones shows that this isn’t always the case. It all started well: the vulnerability was found, luckily, by a white-hat researcher who did not sell it on the darknet where it could have been used for nefarious purposes; instead, he informed the company. Google simply had to close the hole promptly, but that’s where the problems began. For organizations that collaborate with external security experts through bug bounty programs, it gives food for thought: are enough resources allocated internally to fixing bugs in good time?

Tips