This Google Pixel bug fix could have spelled trouble for all Android phones

The Android vulnerability has only recently been patched by Google

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

A vulnerability impacting “seemingly all"GooglePixel phonescould reportedly have allowed unwanted entrants access to a locked Pixel device.

According to ablog postby cybersecurity researcher David Schütz, whose bug report convinced Google to take action, the bug was only patched for theAndroid phonesin question following a November 5 2022 security update, around six months after filing his bug report.

The vulnerability, which is tracked asCVE-2022-20465, allowed an attacker with physical access to bypass the lock screen protections, such as fingerprint and PIN, and gain complete access to the user’s device.

How did the exploit work?

Schütz, who claimed that another researcher’s previous bug report flagging the issue was ignored, said that the exploit was simple and easily replicable.

It involved locking a SIM card by entering the wrong pin three times, re-inserting the SIM tray, resetting the PIN by entering the SIM card’s PUK code (which should come with the original packaging) and then choosing a new PIN.

Since the attacker could just bring their own PIN-locked SIM card, nothing other than physical access was required to execute the exploit, according to Schütz.

Our guide to the best patch management tools

Serious vulnerabilities in HP devices left unpatched for months on end

This ancient unpatched Python security flaw could leave thousands of projects vulnerable

Would-be attackers could just swap such a SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

To Google’s credit, despite the seriousness of the exploit Schütz claims that after he filed a report detailing the vulnerability, Google attended to the exploit within 37 minutes.

Though Schultz didn’t provide any evidence, he posited that other Android vendors may have been affected. This is certainly possible, as Android is anopen sourceoperating system.

This isn’t the first time a security researcher has unveiled serious security flaws within Android phones, either.

In April 2022,Check Point Research(CPR) unearthed a flaw which if left unpatched could potentially have rendered a large number of Android phones vulnerable to remote code execution, due to vulnerabilitiesthat lay within the audio decoders of Qualcomm and MediaTek chips.

Will McCurdy has been writing about technology for over five years. He has a wide range of specialities including cybersecurity, fintech, cryptocurrencies, blockchain, cloud computing, payments, artificial intelligence, retail technology, and venture capital investment. He has previously written for AltFi, FStech, Retail Systems, and National Technology News and is an experienced podcast and webinar host, as well as an avid long-form feature writer.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)