Google Pays $70k for Android Lock Screen Bypass By Orbit Brain November 11, 2022 0 268 views House › Cell SafetyGoogle Pays $70ok for Android Lock Display screen BypassBy Ionut Arghire on November 11, 2022TweetGoogle not too long ago handed out a $70,000 bug bounty reward for an Android vulnerability resulting in lock display screen bypass, safety researcher David Schutz says.Tracked as CVE-2022-20465, the safety bug was resolved as a part of the November 2022 Android patches, and will have allowed an attacker with bodily entry to a tool to unlock it in minutes.The problem, which Schutz by chance found, may enable an attacker to unlock an Android telephone by triggering the SIM PIN reset mechanism, which requires the consumer to enter a PUK code.On this situation, an attacker with bodily entry to a locked gadget must hot-swap the SIM card with one they personal, after which enter the incorrect private identification quantity (PIN) thrice to set off the PIN reset course of, which prompts for the SIM’s 8-digit private unlocking key (PUK) code. The attacker is assumed to have the PUK code in the event that they insert their very own SIM card into the telephone.As soon as the attacker enters the PUK code, they’re supplied with full entry to the gadget, with out being prompted to offer the telephone’s PIN, a password, or an unlocking sample.The vulnerability, a lock display screen bypass because of an error within the “dismiss and associated features of KeyguardHostViewController.java and associated recordsdata”, impacts units working Android 10, 11, 12, and 13. Google describes the problem as an elevation of privilege bug.The underlying challenge, Schutz says, is a race situation vulnerability in a .dismiss() operate known as after the PUK code has been entered. The operate is supposed to dismiss the present safety display screen, which ought to have been the PUK immediate.Due to this vulnerability, nonetheless, the part monitoring the SIM state within the background would change the safety display screen proper earlier than the .dismiss() operate was known as, ensuing within the PIN/password/sample display screen being dismissed as an alternative and the telephone being unlocked.“It looks as if this background part set the traditional e.g. fingerprint display screen because the energetic safety display screen, even earlier than the PUK part was capable of get to its personal .dismiss() operate name. By the point the PUK part known as the .dismiss() operate, it truly dismissed the fingerprint safety display screen, as an alternative of simply dismissing the PUK safety display screen, because it was initially supposed,” Schutz says.To deal with the vulnerability, Google modified the .dismiss() operate by including a brand new parameter, the place the operate caller specifies which sort of safety display screen needs to be dismissed.“In our case, the PUK part now explicitly calls .dismiss(SecurityMode.SimPuk), to solely dismiss safety screens with the kind of SimPuk. If the presently energetic safety display screen will not be a SimPuk display screen (as a result of perhaps some background part modified it, like in our case), the dismiss operate doesn’t do something,” Schutz notes.The researcher reported the vulnerability to Google in mid-June. Just a few months later, the web large advised him that the report was a replica.Schutz says he was capable of reveal the problem in entrance of a number of Google engineers in September at an occasion and that, after partaking once more with the bug bounty program staff, the web large determined to expedite the discharge of patches and to award him $70,000.The researcher confirmed the vulnerability on Pixel 5 and Pixel 6 telephones, however different Android units is likely to be impacted as nicely. Updating to an Android safety patch stage of 2022-11-05 or later resolves the bug.Associated: Google Patches Excessive-Severity Privilege Escalation Vulnerabilities in AndroidAssociated: Android Safety Updates Patch Important VulnerabilitiesAssociated: Google Patches Important Vulnerabilities in Pixel TelephonesGet the Each day Briefing Most LatestMost LearnGitHub Introduces Non-public Vulnerability Reporting for Public RepositoriesChinese language Spyware and adware Targets Uyghurs By way of Apps: ReportLiteSpeed Vulnerabilities Can Result in Full Internet Server TakeoverFoxit Patches A number of Code Execution Vulnerabilities in PDF ReaderGoogle Pays $70ok for Android Lock Display screen BypassCISA Releases Choice Tree Mannequin to Assist Firms Prioritize Vulnerability PatchingMicrosoft Hyperlinks Status Ransomware Assaults to Russian State-Sponsored HackersLaika Raises $50 Million for Its Compliance PlatformCisco Patches 33 Vulnerabilities in Enterprise Firewall MerchandiseTwitter Safety Chief Resigns as Musk Sparks ‘Deep Concern’In search of Malware in All of the Improper Locations?First Step For The Web’s subsequent 25 years: Including Safety to the DNSTattle Story: What Your Laptop Says About YouBe in a Place to Act By way of Cyber Situational ConsciousnessReport Reveals Closely Regulated Industries Letting Social Networking Apps Run Rampant2010, A Nice Yr To Be a Scammer.Do not Let DNS be Your Single Level of FailureHow you can Determine Malware in a BlinkDefining and Debating Cyber WarfareThe 5 A’s that Make Cybercrime so EngagingHow you can Defend In opposition to DDoS AssaultsSafety Budgets Not in Line with ThreatsAnycast – Three Causes Why Your DNS Community Ought to Use ItThe Evolution of the Prolonged Enterprise: Safety Methods for Ahead Pondering OrganizationsUtilizing DNS Throughout the Prolonged Enterprise: It’s Dangerous EnterpriseShare this:FacebookXPrintEmailLinkedInRedditTwitterTumblrPinterestTelegramWhatsApp Android bug bounty bypass CVE-2022-20465 Google lock screen patch pixel reward vulnerability Orbit Brainhttps://orbitbrain.com/ Orbit Brain is the senior science writer and technology expert. Our aim provides the best information about technology and web development designing SEO graphics designing video animation tutorials and how to use software easy waysand much more. Like Best Service Latest Technology, Information Technology, Personal Tech Blogs, Technology Blog Topics, Technology Blogs For Students, Futurism Blog.
Backdoors Found on Counterfeit Android PhonesIntroducing the Cyber Security News Backdoors Found on Counterfeit Android Phones.... August 23, 2022 Cyber Security News
The Potential and Pitfalls of a Federal Privacy LawIntroducing the Cyber Security News The Potential and Pitfalls of a Federal Privacy Law.... December 13, 2022 Cyber Security News
China’s Winnti Group Seen Targeting Governments in Sri Lanka, Hong KongIntroducing the Cyber Security News China’s Winnti Group Seen Targeting Governments in Sri Lanka, Hong Kong.... October 19, 2022 Cyber Security News
SAP Patches High-Severity NetWeaver VulnerabilitiesIntroducing the Cyber Security News SAP Patches High-Severity NetWeaver Vulnerabilities.... June 15, 2022 Cyber Security News
VirusTotal Data Shows How Malware Distribution Leverages Legitimate Sites, AppsIntroducing the Cyber Security News VirusTotal Data Shows How Malware Distribution Leverages Legitimate Sites, Apps.... August 4, 2022 Cyber Security News
South Korea Fines Google, Meta Over Privacy ViolationsIntroducing the Cyber Security News South Korea Fines Google, Meta Over Privacy Violations.... September 15, 2022 Cyber Security News
Pantera Capital Plans $250M Solana (SOL) Buy, Analyst Predicts Record Rally Toward $1000March 8, 2024 75
Ethereum Blockchain Now Has A Modernized Version of Bitcoin (BTC) But With A Much Lower SupplyMarch 9, 2024 71