Android bug discovery earned $70,000 for a user who reported it directly to Google

Discovered by accident, an Android bug that allowed password-less bypassing of the lock screen menu has earned a security expert a $70,000 award from a Google-backed rewards program.

Labeled CVE-2022-20465, the vulnerability allowed any Android phone to be unlocked regardless of the password, PIN, or pattern set for unlocking the screen. All you needed was your own SIM card to temporarily replace the one installed in your phone.

Exposed to using a SIM card set up to unlock by entering the PIN every time the phone was turned on, the vulnerability eventually allowed bypassing the phone’s own PIN. To take advantage of this vulnerability all you had to do was replace the user’s SIM card with your own. Extremely simple to implement, the attack involved deliberately entering the wrong PIN code for the SIM card in the phone, followed by unlocking it by entering the PUK code. Only, instead of just unlocking the SIM card, using the PUK code ended up unlocking even the Android phone’s own Lock Screen menu, with the PIN set by the user being completely ignored.

In the parlance of security experts, this mode of attack is called “local privilege escalation”.

Despite the ease with which this exploit could be triggered, the security expert who reported it recounts that Google needed to more than 5 months to deliver security patches for it. Even so, the vulnerability is permanently closed only for new versions of Android, i.e., devices that still receive essential security updates. Instead for older generation Android-based devices, the Lock Screen menu could remain permanently compromised by this vulnerability.