$70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - Printable Version +- ReBreached Forums (https://rebreached.vc) +-- Forum: General (https://rebreached.vc/Forum-General) +--- Forum: World News (https://rebreached.vc/Forum-World-News) +--- Thread: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password (/Thread-70-000-Bug-Let-Hackers-Bypass-Google-Pixel-Lock-Screen-Pattern-Password) Pages:
1
2
|
$70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - Kitang - 07-20-2023 $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password Source: https://cybersecuritynews.com/70000-bug-let-hackers-bypass-google-pixel-lock-screen-pattern-password/ David Schütz, a security researcher, has identified a critical bug in the Google Pixel phones that allow hackers to bypass the passcode and pattern lock with the consent of having physical access to the vulnerable device. A critical Lock screen bypass bug allows anyone to bypass all formats of lock screen protections including fingerprint, pattern, and PIN, by swapping the new SIM with the help of a PUK code. A local privilege escalation bug resides in the Google Pixel Phone model due to a logical error in the code that allows an attacker to exploit this bug without any additional execution privileges or user interaction. The following Android Versions are vulnerable to this bug:- Android-10 Android-11 Android-12 Android-12L Android-13 The bug was fixed by Google and released a patch update in this November Android security updates and assigned to CVE-2022-20465 with the following explanation: “In dismiss and related functions of KeyguardHostViewController.java and related files, there is a possible lock screen bypass due to a logic error in the code.” Bypass Google Pixel Lock Screen The researcher explained this bug with a simple SIM Swapping technique that required a new SIM with the PUK code that trigger the bug to bypass the screen and unlock the Pattern, passcode, and fingerprint. PUK (Personal Unlocking Key) Code is used to unlock the SIM card PIN number when the user forgot and types the wrong PIN code consecutively 3 times. The PUK code can be found printed on the SIM card package. The bug was trigged and exploited under the following steps that were performed by the researcher. Lock the vulnerable Pixel Phone and type the wrong PIN 3 times. Perform Hot Swap, a new SIM will be replaced with the old SIM on the same SIM tray. Now attempt to reset the PIN by entering the PUK code assigned to the new SIM card (An Attack SIM) As soon as the attacker types the PUK code, the Phone will let them in by allowing them to change the new PIN. “I realized that indeed, this is a got damn full lock screen bypass, on the fully patched Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too.” The researcher said in his public write-up. https://youtu.be/dSgSnYPgzT0 “After PUK unlock, multiple calls to KeyguardSecurityContainerController#dismiss() were being called from the KeyguardSimPukViewController, which begins the transition to the next security screen, if any.” At the same time, other parts of the system, also listening to SIM events, recognize the PUK unlock and call KeyguardSecurityContainer#showSecurityScreen, which updates which security method comes next. After boot, this should be one of PIN, Password, or Pattern, assuming they have a security method. If one of the first dismiss() calls comes AFTER the security method changes, this is incorrectly recognized by the code as a successful PIN/pattern/password unlock. said in the Android Bug report. Patch Advisory & Rewards: Google has acknowledged the bug after multiple reporting attempts by the researcher and rewarded $70k, once the Android security team was able to reproduce the bug. The same bug was reported earlier this year at that time they weren’t able to reproduce the same bug. “The same issue was submitted to our program earlier this year, but we were not able to reproduce the vulnerability. When you submitted your report, we were able to identify and reproduce the issue and began developing a fix.” Google said during the bug report communication. “We typically do not reward duplicate reports; however, because your report resulted in us taking action to fix this issue, we are happy to reward you the full amount of $70,000 USD for this LockScreen Bypass exploit!” How to fix: Update your device to the November 5, 2022, Security Update. An update can be triggered manually by going to Settings -> Security -> Security update -> Check for update. You might have to do it multiple times. More info about updating a Pixel device at the official help page. Affected devices: Seemingly all Google Pixel devices. Since the patch is in AOSP, other Android vendors might be affected. If you can’t update: Turn off your phone before leaving it unattended. This prevents access to the encrypted user data, but might still allow persistence. RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - EraMera - 07-30-2023 How lucky omg RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - ReBreached - 07-30-2023 (07-30-2023, 06:04 PM)EraMera Wrote: How lucky omg you consider this luck? RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - Beelzebub - 07-30-2023 wasnt this late 2022? RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - Valhalla - 07-31-2023 @Beelzebub article says update device to November 5, 2022 so yes i assume you are right RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - black0maba - 08-13-2023 damn boy RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - cfedele1950 - 08-14-2023 Are other brands affected as well? RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - MRXO - 08-14-2023 ..... RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - Dnqjqksks39o - 08-14-2023 Google never learns I guess RE: $70,000 Bug Let Hackers Bypass Google Pixel Lock Screen Pattern & Password - siker - 07-12-2024 wait is it work just on pixel generation? and if it work on all android is there any bypass? and could anyone explain how is it work?(i mean the controlled sim) |