New Exploit allows Android Lock Screen Bypass

[rcmaehl]

Summary

An issue with how Android handles locked SIM cards allowed a researcher to bypass Pixel Lockscreens. The issue is reported to affect other Android-based devices.

 

Media

 

 

Quotes

Quote

The issue allowed an attacker with physical access to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device. After rebooting the phone, putting in the incorrect PIN 3 times, entering the PUK, and choosing a new PIN, I got to the same “Pixel is starting…” state. I played with this process multiple times, and one time I forgot to reboot the phone, and just started from a normal unlocked state, locked the device, hot-swapped the SIM tray, and did the SIM PIN reset process. I didn’t even realize what I was doing. As I did before, I entered the PUK code and choose new a PIN. This time the phone glitched, and I was on my personal home screen. This was disturbingly weird. I did it again. Lock the phone, re-insert the SIM tray, reset the PIN… And again I am on the home screen. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too. 31 days after reporting, I woke up to the automated email saying that “The Android Security Team believes that this is a duplicate of an issue previously reported by another external researcher.” After talking to some Googlers about this October deadline, a member of the Android VRP team personally commented on the bug ticket, and asked me to set up a call to talk about the bug, and share feedback. Two weeks after our call, I got a new message that confirmed the original info I had. They said that even though my report was a duplicate, it was only because of my report that they started working on the fix. The Android engineers... decided to refactor the .dismiss() function and made it require an additional parameter, where the caller can specify what type of security screen it wants to dismiss. In our case, the PUK component now explicitly calls .dismiss(SecurityMode.SimPuk), to only dismiss security screens with the type of SimPuk. If the currently active security screen is not a SimPuk screen (because maybe some background component changed it, like in our case), the dismiss function doesn’t do anything.

 

My thoughts

So, the Android security team knew about this issue for, who knows how long, and didn't patch it because the original author didn't have a disclosure deadline. I understand that the odds of someone coming across the exploit were extremely unlikely, but it's a lock screen bypass regardless. I guess this will be useful for anyone that may have forgotten their password on an old, and no longer updated phone at the very least.

 

Sources

White Paper (quote source)

Android Patch

Android Security Bulletin

Google <-> Researcher Communication

[DANK_AS_gay]

Meanwhile there's a debate about how Apple sucks for not supporting an iOS 8 years old in the way that they think is best, ya know, because they are all experts in OS development, product management, etc. etc.

[Somerandomtechyboi]

I do have an old zenfone6 that if i do get it to actually boot into android (android 4.4) i may have forgotten the password to so guess i dont have to bring it to a data recovery facility if i really did forget the password and it does actually boot to android. Just need to save that one priceless photo that i just never backed up cause idiot 11 year old me never thought of it, maybe theres some (copies of) other significant photos though since again idiot me decided to tape 3 sd cards with important photos to the back of my old xiaomi (it had a case so didnt mind the cards) and now the thing is gone after moving about half a year ago =|

[Doobeedoo]

This is such a meme, come on, Googlers...

[strajk-]

1 hour ago, DANK_AS_gay said:

Meanwhile there's a debate about how Apple sucks for not supporting an iOS 8 years old in the way that they think is best, ya know, because they are all experts in OS development, product management, etc. etc.

One does not discredit the other.

The vulnerability got patched, and you know what you can do with devices that don't have the luxury of being updated to the newest Android Version? Install a custom rom.

 

What can you do with an Apple product that no longer receives any updates at all? Buy another one, that's it.

Hell, even Microsoft still pushes updates on OS'es they stopped supporting for years (XP) to mitigate critical vulnerabilities.

[DANK_AS_gay]

1 minute ago, strajk- said:

What can you do with an Apple product that no longer receives any updates at all? Buy another one, that's it.

Jailbreak it.

 

1 minute ago, strajk- said:

Hell, even Microsoft still pushes updates on OS'es they stopped supporting for years (XP) to mitigate critical vulnerabilities

They get paid to, Microsoft offers updates for older OSes so long as you pay massive fees, and it's only available to corporations. Not comparable in the slightest.

[strajk-]

9 minutes ago, DANK_AS_gay said:

Jailbreak it.

Since when does a Jailbreak fix vulnerabilities?
Stick to the actual subject matter, custom roms, the maintainers of LineageOS or others do fix these issues, a Jailbreak doesn't.

 

Quote

They get paid to, Microsoft offers updates for older OSes so long as you pay massive fees, and it's only available to corporations. Not comparable in the slightest.

You are so wrong it is not even funny, it is sad, really...
https://www.catalog.update.microsoft.com/Search.aspx?q=SP3+XP

https://en.wikipedia.org/wiki/Windows_XP#End_of_support

[DANK_AS_gay]

10 minutes ago, strajk- said:

Since when does a Jailbreak fix vulnerabilities?

Since someone decided to fix it, I dunno, I'm not a jailbreak developer. And a phone that is outside of Apple's support of 8 years is on its last legs anyways, so buying a new phone isn't exactly ridiculous. Buying a new phone every 3 years is tho (end of Google's support for their own phones) 

And let's not forget: 

1 hour ago, rcmaehl said:

So, the Android security team knew about this issue for, who knows how long, and didn't patch it because the original author didn't have a disclosure deadline.

That doesn't happen with Apple.

AND THIS IS LITERALLY ON A GOOGLE PIXEL, GOOGLE'S OWN PHONE, WITH GOOGLE'S OWN OS

[strajk-]

15 minutes ago, DANK_AS_gay said:

Since someone decided to fix it, I dunno, I'm not a jailbreak developer. And a phone that is outside of Apple's support of 8 years is on its last legs anyways, so buying a new phone isn't exactly ridiculous. Buying a new phone every 3 years is tho 

Then why mention Jailbreak at all if you don't know how it works?

What your opinion is in regards to product lifespan is concerned...that's irrelevant, we're explicitly talking about how these situations are handled where you decided to handwave concerns over how Apple handles planned obsolesces with their previous OS'es as far as vulnerabilities and performance are concerned.

 

About the Vulnerabilities, Microsoft tries to fix those in OS'es they stopped supporting for over a decade, doesn't have to be enterprise and $$$ like you initially falsely claimed, in regards to custom roms, since the code is open source it is easier for whoever uses Android to keep their expensive gadgets up and running for longer.

 

Quote

That doesn't happen with Apple.

Guess you're a security researcher for Apple then, my apologies, how else would you know.

[Senzelian]

Wow, so much hypocracy and whataboutism in this thread already. Who would've expected that...

 

2 hours ago, DANK_AS_gay said:

Meanwhile there's a debate about how Apple sucks for not supporting an iOS 8 years old in the way that they think is best, ya know, because they are all experts in OS development, product management, etc. etc.

Let's immediately defend Apple in a thread about an Android security flaw. Such a great idea! 

Apple has had similar issues before. How does this matter? Yeah right, it doesn't.

 

55 minutes ago, DANK_AS_gay said:

They get paid to, Microsoft offers updates for older OSes so long as you pay massive fees, and it's only available to corporations. Not comparable in the slightest.

Definitely comparable. Microsoft does not lock you out of official updates. I can update an old Sony Vaio from 2008 to the current build of Windows 11. Neither Google nor Apple offer that with their Chromebooks or Macbooks. And of course not with their mobile devices.

 

Edit: Oh wait, technically you can do that now with Chrome OS aswell.

 

45 minutes ago, DANK_AS_gay said:

That doesn't happen with Apple.

No, this literally happens with Apple. Just recently happened in regards to VPNs on iOS.

 

45 minutes ago, DANK_AS_gay said:

Buying a new phone every 3 years is tho (end of Google's support for their own phones)

Get your sh*t right. 5 years of security updates.

Why this matters when everyone replaces their phone after 3 years anyway I don't know. Honestly doesn't even matter within this discussion.

 

 

Now to the only sentence that's relevant for this thread within my post, since I've only replied to pure bs so far.

Google fix your sh*t. You f*cked up.

[DANK_AS_gay]

Just now, strajk- said:

how else would you know.

Same way I know that that is what happened to this Android update my guy. 

2 minutes ago, strajk- said:

we're explicitly talking about how these situations are handled where you decided to handwave concerns over how Apple handles planned obsolesces with their previous OS'es as far as vulnerabilities and performance are concerned.

I don't handwave, as there is a simple solution, update your phone to the latest on available for your device. Boom. Problem solved. It isn't planned obsolescence if the phone Apple drops support for has 512mb of combined RAM, which is not usable today. And people complaining about Apple slowing down the iPhone 6 and 7 in updates completely misunderstood the situation. As soon as you replaced the battery, you got your performance back. If Apple wanted you to get a new phone, they wouldn't have given you your performance back if you fixed your phone. It's no different from a car going into limp-home mode to protect itself from further damage. Technically, Ford (or whoever else) "took all of your performance", but OFC it wasn't to make you buy a new car. Apple literally supports a phone until it isn't feasible for that phone to be supported due to the # of people using those phones, and their actual capabilities.

[DANK_AS_gay]

6 minutes ago, Senzelian said:

I can update an old Sony Vaio from 2008 to the current build of Windows 11.

No you can't, it doesn't have TPM 2.0, or any other of the minimum requirements

[Senzelian]

7 minutes ago, DANK_AS_gay said:

No you can't, it doesn't have TPM 2.0, or any other of the minimum requirements

Literally from a Microsoft support page:

 

Quote

Microsoft recommends against installing Windows 11 on a device that does not meet the Windows 11 minimum system requirements. If you choose to install Windows 11 on a device that does not meet these requirements, and you acknowledge and understand the risks, you can create the following registry key values and bypass the check for TPM 2.0 (at least TPM 1.2 is required) and the CPU family and model.

 

So yes I can. I didn't pick a 2008 Vaio for fun, you know...

[wanderingfool2]

2 hours ago, rcmaehl said:

So, the Android security team knew about this issue for, who knows how long, and didn't patch it because the original author didn't have a disclosure deadline

That's actually not what was said.  It was "known" about, but even the author admits that something went wrong in processing it.  Without the original person who reported it releasing a report we won't really know what could have gone wrong.  e.g. If you report an issue, but it's a complicated step that involves manual input it could very well be overlooked if it wasn't done correctly (i.e. the tech who tried verifying if it worked might have messed up and couldn't reproduce it).  When this guy came along he was able to submit it in a step that was repeatable.  It might have also been reported, but maybe not the scope was understood (like maybe just the being able to bypass the pin but still needing fingerprint)...as the original research would want to make sure it's fixed...since for them it would mean $100k.

 

Don't get me wrong, it's really bad that it took such an extended time to fix, and it would be I think important for a write up on why it took so long...but his pressure of the Oct deadline I don't think is what really got it released...it did accelerate it by a month.  Looking at the code changes, it really involved the core part of the security...wouldn't be surprised if they tried a few different concepts of fixes before coming up with this solution.  (They had to add a none optional parameter to a core internal API function).  With that said, it probably should have been fixed quicker than it was; but given that he gave a deadline and they told him it would be fixed 2 months after (and accelerated to only a month after)...even when he held firm to me tells just how fundamental the code was.

 

Not saying that it excuses it, there are clearly issues...like the fact that it was pre-reported (and allegedly dismissed).  From my knowledge though, Google is usually pretty good about getting on top of exploit reports (as even their own security research team has a 90 day disclosure  policy...unless requested more time to fix)

 

1 hour ago, DANK_AS_gay said:

That doesn't happen with Apple.

Yes, yes it does.  Actually Apple has a history of ticking off security researchers by not paying out bounties (by claiming things aren't actually an exploit or by fixing them saying it was unrelated).

https://habr.com/en/post/579714/

And in those cases as well (and some that the guy lists), they didn't even pay the researchers anything.  They denied the bounty.

 

Although, the fact that Apple is terrible though doesn't excuse Google in this case, but it's foolhardy to say that it doesn't happen at Apple (and as you have read that other Apple thread, you know that they actually did patch a vulnerability but left it unpatched for the majority of users until it was used in the wild against those users)

[DANK_AS_gay]

37 minutes ago, Senzelian said:

Literally from a Microsoft support page:

 

 

So yes I can. I didn't pick a 2008 Vaio for fun, you know...

You aren't supposed to, but you can. Just like I can technically make a hackintosh.

[starsmine]

42 minutes ago, Senzelian said:

Literally from a Microsoft support page:

 

 

So yes I can. I didn't pick a 2008 Vaio for fun, you know...

"we do not support this, but we are not going to stop you from bypassing"
Basically also means, we do not support this configuration, don't cry to us because we don't support it, that's on you. If some security bug comes to light in terms of this hardware/software combo, we are under no obligation to fix it.

[Senzelian]

17 minutes ago, DANK_AS_gay said:

You aren't supposed to, but you can. Just like I can technically make a hackintosh.

Who are you to decide that? What I am supposed to do and not is not for you to decide. In case of Hackintosh's it's up to Apple and they're very clear about it: It's illegal. That is entirely different from distancing themselves and leaving it to me to decide, like Microsoft does.

 

12 minutes ago, starsmine said:

"we do not support this, but we are not going to stop you from bypassing"
Basically also means, we do not support this configuration, don't cry to us because we don't support it, that's on you. If some security bug comes to light in terms of this hardware/software combo, we are under no obligation to fix it.

Exactly!

[DANK_AS_gay]

1 hour ago, starsmine said:

don't cry to us because we don't support it, that's on you.

 

1 hour ago, Senzelian said:

Exactly!

 

Why are you entitled to the option of installing OSs on devices that do not support it? I get installing whatever OS you want on your device, but genuinely, why should you be able to install an OS that explicitly states that it doesn't support your hardware (even if it is arbitrary, like in Windows 11's case)?

 

2 hours ago, strajk- said:

You are so wrong it is not even funny, it is sad, really...
https://www.catalog.update.microsoft.com/Search.aspx?q=SP3+XP

https://en.wikipedia.org/wiki/Windows_XP#End_of_support

ESU means nothing to you? The updates are no longer for sale because the ESU ended like 5+ years ago for XP, and Windows 7's ended last year.

quote from the doc you linked LMAO

"April 8, 2014, over 12 years after the release of Windows XP; normally Microsoft products have a support life cycle of only 10 years.^[118] Beyond the final security updates released on April 8, no more security patches or support information are provided for XP free-of-charge; "critical patches" will still be created, and made available only to customers subscribing to a paid "Custom Support" plan.^[119] As it is a Windows component, all versions of Internet Explorer for Windows XP also became unsupported."^[120]

 

"You are so wrong it's not even funny, it is sad, really"

Actually, you are so wrong that it wrapped around back to funny. 

[strajk-]

8 minutes ago, DANK_AS_gay said:

"You are so wrong it's not even funny, it is sad, really"

Actually, you are so wrong that it wrapped around back to funny. 

Are you just intentionally trying to be slow or do you have genuine difficulties following a conversation?

The link I provided gives you sources to unpaid updates way past the 10 year clause, the last one being in 2019, I am done responding to you, you're either intentionally dishonest or just not equipped to have this conversation.

 

I bet on the latter, since by the responses I've seen so far you keep moving the goalpost around with irrelevant comparisons, had a genuine laugh where you compared a regedit workaround with a hackintosh, genuine cringe.

You're a prime Dunning Kruger example, peace.

[Gamer Schnitzel]

Where are the mods? This whole thread is just whining about Apple. Ban DANK_AS_gay for derailing the thread.

[DANK_AS_gay]

3 hours ago, DANK_AS_gay said:

They get paid to, Microsoft offers updates for older OSes so long as you pay massive fees, and it's only available to corporations. Not comparable in the slightest.

 

27 minutes ago, DANK_AS_gay said:

"critical patches" will still be created, and made available only to customers subscribing to a paid "Custom Support" plan.

So you gave me 2 conflicting sources, one of which takes a minute and a half to load for some reason, and the wikipedia article, and expected me to not use the one that loaded in an appropriate amount of time? And then expected me to not draw a correct conclusion that is sourced and documented? Maybe it is outdated information (and therefore an outdated conclusion), but rather than insult me, you could tell me that it has changed since then.

14 minutes ago, strajk- said:

I bet on the latter, since by the responses I've seen so far you keep moving the goalpost around with irrelevant comparisons

 

You also insult other people, then get mad when they insult back, seems to me that you are the one moving goalposts.

And have you even heard of dialectical discussions?

 

14 minutes ago, strajk- said:

had a genuine laugh where you compared a regedit workaround with a hackintosh, genuine cringe.

It was a broad comparison, one that @Senzelianunderstood, which was the point. I don't care if you did or didn't like it

[DANK_AS_gay]

Sorry everyone here for that argument, that was just supposed to be a humorous dig at the other thread in this section, but @strajk-wanted to continue the argument here I guess 

 

It's my fault that I continued to engage with him, more than it is his fault for engaging with me, as I can see how my initial joke could be polarizing in a PC forum.

 

Thanks @Senzelian for pointing out my mistakes, however well I may have handled it 

 

And, as much as it pains me to say it, @strajk-was right, and my conclusions were made off of old information that is no longer relevant.

Let's move on, shall we?

 

(and no @Gamer Schnitzel, this isn't to appease the mods, that's why I said it before they got here )

[Mark Kaine]

I don't have a lock screen, take that, attacker!

Spoiler

 

¯\_(ツ)_/¯ 

 

 

20 hours ago, rcmaehl said:

I guess this will be useful for anyone that may have forgotten their password on an old, and no longer updated phone at the very least.

but chances are if someone doesn't know their pw, they won't know their PUK either...

 

 

this made me wondering...let me guess, current android "security" makes it so that if you change the sim card you cant access the data on the phone anymore??

 

If so, that wasn't like that on older androids... and im only speculating this, because everything about current android "security" makes me super uneasy (samsung is extremely bad with this, essentially hijacking certain data from the user)

[AndreiArgeanu]

19 minutes ago, Mark Kaine said:

but chances are if someone doesn't know their pw, they won't know their PUK either...

PUK's are based on the SIM not the phone. You could buy a new sim card, which in some countries already come with a password set (such as 0000 or 1234) and inside it tells you the pin and the PUK of that sim card.

[Mark Kaine]

19 minutes ago, AndreiArgeanu said:

PUK's are based on the SIM not the phone. You could buy a new sim card, which in some countries already come with a password set (such as 0000 or 1234) and inside it tells you the pin and the PUK of that sim card.

but... that was my next question... will you be able to access your phone and data normally after you've done that *or* will the phone just say "sim card change detected please log in with your google and samsung account" (which the pws for would be most likely stored *on the phone* anyways, which is now inaccessible...) *or* does it just get wiped completely ("for security")?

 

 

ps: i *think* you will be still able to reset the passwords (or at least log in), if your phone number didn't change (which isnt necessarily a given) but thats how it was in the past, not sure if it's still like that.