Last week, security and bug expect David Schütz stumbled upon an alarming security flaw that affects Google Pixel phones, which allowed anyone with physical access to a phone to bypass the lock screen and gain access to the user's device — without needing a passcode.
As Schütz notes in his blog (via BleepingComputer), the cybersecurity researcher accidentally found the bug when trying to unlock his Pixel 6. After entering the wrong PIN three times, the SIM card locked, which he then recovered using the Personal Unblocking Key (PUK) code.
When unlocking the SIM and setting a new PIN, the Pixel simply showed the fingerprint icon without asking for a lock screen PIN or password. This isn't normal for Android phones, as they always ask for a passcode when rebooting to prevent attackers from accessing the phone.
After further investigation, Schütz discovered that he could bypass the lock screen and access the device, even without a fingerprint. This means that attackers that have access to the device, such as threat actors who steal phones, could use their own SIM card, put in a wrong PIN code three times, use a PUK number, and then access the device without even needing a fingerprint or PIN code.
The researcher demonstrates the process below:
Download Google's November 2022 security update
Schütz reached out to Google to patch the security flaw, which has now been fixed in the November 5 Google security update. It's worth noting that he reported the bug back in June, meaning the flaw has been around for a few months.
It's a good idea to update your Android device, with the report noting that it could affect all Pixel devices, including the Pixel 7 and Pixel 7 Pro, along with Android phones running version 10 and later. To do this, head to Settings > Security > Security update > Check for update.
For more on the security flaw, check out the full blog post. We've seen a few security issues lately, including this malicious Chrome extension can track your keystrokes. To make sure you're protected, check out the best antivirus apps.