Time to Patch: Google Pixel devices vulnerable to Lock Screen Bypass

Google Pixel device owners may want to download and install the November 2022 security patches for their devices as soon as possible. Google fixed a serious security issue that

allows the bypassing of the lock screen of the device. The attack requires access to the Google Pixel device, but nothing besides that. Successful exploitation of the issue gives

the attacker full access of the device, bypassing any lock screen protection that may be in place. Security researcher David Schütz discovered the vulnerability by accident and

reported it to Google after verification on his end. According to Schütz, it took Google several months to patch the issue and release a security update for supported Android

devices. The Google Pixel lock screen bypass explained Schütz explains that he discovered the issue by accident. His Google Pixel 6 phone shut itself down while traveling. He

typed the wrong PIN several times after connecting the device to a charger; this led to the device asking for the PUK to be entered. After entering the PUK, the device asked

Schütz to enter a new PIN to protect the device. Schütz noticed then that the device was not asking for the lock screen PIN, but that he could sign-in using fingerprint

protection. That should not happen at this stage, as it was a fresh boot. He investigated the issue in depth, putting the device into the PUK state multiple times. One time, he

decided to hot-swap the SIM card and do the PIN reset process using the PUK of the other SIM card. This worked and to Schütz’s surprise, bypassed the lock screen protection of

the device and loaded the home screen. In other words: Schütz discovered a lock screen bypass that worked on Pixel devices. It requires physical access and a second SIM card that

is in PIN locked state. The same issue affected the researcher’s Pixel 5 device. Schütz did not test the issue on other devices. He suggests that devices off other manufacturers

may be affected by the security issue as well. Google awarded Schütz a bug bounty of $70,000 for discovering and reporting the issue. It is important to realize that older Pixel

devices may be affected by the issue. Security updates are not released for devices that are out of support. As a result, some devices that may be vulnerable may never be patched.

You may check Google’s support page, which details for how long Pixel devices are supported with updates by the company. Google Pixel’s November security patches fix the issue

Google releases security updates for Pixel devices once per month. Pixel owners may check the installed Android version in the following way: Open the Settings application on the