Google has just patched the Android vulnerability.
Unsolicited entrants could have gained access to locked Pixel devices through a vulnerability that affects “seemingly all” Google Pixel phones.
A blog post (opens in new window) by David Schutz, a cybersecurity researcher, states that the bug was only fixed for the Android phones affected following a November 5, 2022 security update. This happened around six months after Schutz filed his bug report.
CVE-202220465 (opens in new window) is the vulnerability that allowed an attacker to gain physical access to the device.
What was the secret to this exploit?
Schutz claimed that a previous bug report by another researcher flagging the issue had been ignored. He said that the exploit is simple and easy to replicate.
This involved locking the SIM card by entering it three times incorrectly, then re-inserting it, setting the PIN again by entering the SIM card’s PUK code (which should be included with the original packaging), and finally choosing a new pin.
Schutz stated that the attacker could simply bring their own SIM card with a PIN-locked SIM, so physical access was not required to exploit the vulnerability.
An attacker could simply swap the SIM in the victim’s phone and then exploit the vulnerability with a SIM card with a PIN lock that the attacker knew and the correct PUK code.
Google is to be credited for acknowledging that Schutz filed a report detailing the vulnerability. Google responded within 37 minutes.
Schultz did not provide any evidence but suggested that other Android vendors might have been affected. It is possible that Android, an open-source operating system, was affected.
It’s not the first time that a security researcher has discovered serious security flaws in Android phones.
Check Point Research (opens in new tab), April 2022 discovered a flaw that could have made a lot of Android phones susceptible to remote code execution if it wasn’t fixed. The flaw was found within the Qualcomm and MediaTek audio decoders.
