New Android vulnerability: A SIM card is enough to bypass the lock screen

After a few days from the release of the November security patches, here we are back to talk about one recently discovered vulnerability and that afflicts the Android operating system: researcher David Schütz was able to bypass the lock screen of the smartphone simply by using a normal SIM card.

Amazon offers

How this security flaw works is dangerously simple – an attacker must have physically access to the smartphone and that is in possession of a SIM protected by a PIN code and of which he also knows the PUK code and that’s it. By inserting the SIM in the smartphone instead of the old one, the user will be asked to enter the PIN code, and this is precisely the moment in which it is possible to exploit the flaw.

Enough in fact purposely mistake the PIN code three times and then enter the PUK code to unlock the smartphone, bypassing the lock screen entirely. You can see the whole process in the video below, published by David Schütz on his YouTube channel.

Without going too specific, just know that the Android operating system shows the lock screen “above” of all other activities: in some cases, to remove this screen you just need to authenticate with your fingerprint or via facial recognition, while in other cases it is necessary to enter the code (this usually happens after having just turned on the device).

In the case of this flaw, when the user inserts the new SIM protected by PIN code, one is shown “new lock screen” above the classic one, in which to insert the PIN code and the PUK code of the SIM. When the PUK code is confirmed, the operating system however, it removes all lock screens (i.e. the request for the PIN code and the classic Android one we are all used to), while it should limit itself to hiding the screen relating to the SIM PIN code.

This security flaw is very effective with devices that have been unlocked at least once before performing this procedure: in case the device has just been turned on, the flaw will still work, but it will be impossible to access some data and some apps may malfunction (this is because the operating system makes all data accessible only after being unlocked at least once) .

Although the flaw was discovered on a Pixel phone, the bug is present directly in the source code of Android Open Source Project (AOSP): This means that all devices running software based on this code could be vulnerable. Some users have confirmed that the above process works on devices running LineageOS and GrapheneOS, while it seems that on newer Samsung devices it doesn’t work.

This vulnerability is formally registered under the name CVE-2022-20465 And Google has already confirmed that it has solved it completely: the company has published fixes in the AOSP source code of Android 13 and older versions (specifically, Android 10, 11 and 12).

Over the next few days the various manufacturers will release an update to solve this dangerous problem.