Android Unlock Bug Fixed

Android users have been urged to check their phone has the latest security patches. It follows a researcher accidentally uncovering a significant flaw in the screen lock.

The researcher discovered the problem on a Google Pixel 6 and replicated it on a Pixel 5. The problem appears to affect phones running Android 10 or later that use a SIM card, not just those made by Google. However, some reports suggest it doesn't affect Samsung handsets.

The problem is with the personal unblocking key (PUK). That's a way to regain access to a handset that's been locked after forgetting the phone's passcode.

The network carrier that provides service can give the PUK to the subscriber who can then type it in. This code combines with the SIM card to confirm they are the legitimate owner and will unlock the handset.

Dead Battery Uncovers Secrets

Researcher David Schutz discovered the problem by mistake when his phone ran out of charge and he forgot the PIN when he powered it back up. After typing in the PUK he was asked to set a new PIN as normal. The phone then rebooted, again as normal, but Schutz wasn't asked to type in the PIN as should have happened. Instead, it went straight to the fingerprint unlock. (Source: davidhu.me)

Being a curious researcher, Schutz played about with the device trying out various combinations of actions. He discovered that if he simply removed and replaced the SIM card, then deliberately mistyped his PIN and regained access with the PUK code, he was able to unlock the phone without needing either a PIN or a fingerprint.

That meant anyone with physical access to the phone could simply replace the SIM card with one of their own, get the PIN wrong three times, and use their own PUK to unlock the phone. (Source: bleepingcomputer.com)

Schutz reported the problem to Google and says it was acknowledged quickly, but the follow up was slow with little details. Three months later, in September, he found the bug was still in place. He then threatened to go public with the bug, prompting Google staff to discuss the case with him.

Problems Stack Up

Google has now fixed the problem and Schutz says he has a general idea of what was wrong. He believes the various security checks on the phone work like a stack of layers, where removing one check will reveal the next.

The phone should have removed the PUK "layer" once it had confirmed the details were correct. However, a mistake in configuration meant the phone was actually moving the PIN or fingerprint layer to the top between receiving and carrying out the "remove top layer" instruction.

The bug fix was relatively simple as, in effect, the instruction is now "remove the PUK layer" rather than "remove the top layer."

The fix is in the November 2022 Android security patch. When it is installed and whether it needs any user action will depend on the manufacturer and user settings.

What's Your Opinion?

Have you ever used a PUK? Are you surprised such a bug occurred? Do you pay much attention to security updates on your phone?