|
|
Android security pwned by PUK reset trick
A security researcher scored a $70k bug bounty payout after accidentally discovering a Google Pixel lock-screen bypass hack.
The vulnerability, discovered by David Schütz, meant an attacker could unlock any Google Pixel phone without knowing the passcode. Google fixed the issue (tracked at CVE-2022-20465) with a November update, allowing Schütz to go public with his findings.
The vulnerability created a means for a potential hacker to bypass lock-screen protections such as fingerprint or PIN authentication and obtain physical access to a target device. The hack could be carried out with minimal technical skill against a range of mobile devices running Android, by following a series of steps.
Fortunately, the exploit is not something that would lend itself to remote exploitation.
As explained in a blog post, Schütz came across the issue by chance when he forgot the PIN code of his Pixel phone and had to use the PUK code to regain access. After successfully completing the process, he noticed oddities in the lock screen he was confronted with.
“It was a fresh boot, and instead of the usual lock icon, the fingerprint icon was showing,” Schütz recalled. “It accepted my finger, which should not happen, since after a reboot, you must enter the lock screen PIN or password at least once to decrypt the device.”
After accepting his finger, the device crashed with a weird “Pixel is starting…” message, which Schütz addressed with a forced reboot.
RECOMMENDED GhostTouch: Hackers can reach your phone’s touchscreen without even touching it
Schütz decided to investigate the issue over subsequent days. On one occasion he forgot to reboot the phone, and just began from a normal unlocked state, locked the device, and hot-swapped the SIM tray, before carrying out the SIM PIN reset process.
After following this sequence before entering the PUK code and choosing a new PIN, Schütz was presented with his unlocked home screen.
The researcher realized that he had achieved a full lock screen bypass on the fully patched Pixel 6. The same trick worked on a Pixel 5.
Schütz realized the hack would be easily exploited by anyone, from spies to crooks and jealous spouses.
“Since the attacker could just bring his/her own PIN-locked SIM card, nothing other than physical access was required for exploitation. The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.”
Schütz reported the issue to Google and the tech giant processed and filed the bug promptly, but remediation took far longer.
After telling Schütz the issue was a duplicate, and therefore not normally eligible for a bug bounty, Google failed to act for some weeks, before repeated chasing by Schütz and a demo of the exploit to Google staffers at a Google-run bug hunter event called ESCAL8 in September prompted action.
Shortly after this, Google said that even though Schütz’s report was a duplicate, it had only started working on a fix because of his submission, so the firm had decided to pay him a $70,000 bounty for the lock screen bypass.
The bug was fixed on November 5, allowing Schütz to disclose his findings and a video demonstrating the flaw.
Catch up on the latest hardware-related security news and analysis
The researcher deduced from code changes that Android security screens can be stacked “on top” of each other.
“When the SIM PUK was reset successfully, a .dismiss() function was called by the PUK resetting component on the ‘security screen stack’, causing the device to dismiss the current one and show the security screen that was ‘under’ it in the stack,” he explained.
“Since the .dismiss() function simply dismissed the current security screen, it was vulnerable to race conditions” that meant that the PUK resetting component could dismiss a unrelated security screen, changed by a background process.
Google has changed the code, so it explicitly calls the type of security screen to be dismissed.
The Daily Swig invited Google to comment, and asked Schütz follow-up questions about his experience in bug bounty hunting and mobile security. No word back as yet, but we’ll update this story as and when more information comes to hand.
YOU MAY ALSO LIKE Boffins rekindle one-time program cryptographic concept
|
|
Leaving her elderly father on a basement floor for two days in a soiled adult diaper won’t mean jail for a Calgary woman.
Justice Indra Maharaj accepted a joint Crown and defence submission on Wednesday for a two-year-less-a-day conditional sentence order for Tara Picard to be followed by 12 months of probation.
Prosecutor Donna Spaner and defence counsel Shaun Leochko proposed a community-based term which will include eight months of 24-hour house arrest followed by a nightly curfew for the second eight months.
Maharaj also agreed with the lawyers to order Picard to commit 300 hours of community service over the length of the three-year sentence.
The Calgary Court of Justice noted that amount of community-service hours was “a lot” to commit to.
But Maharaj said it showed Picard, 52, was truly remorseful for her conduct towards her father, whom Postmedia is not identifying because of the embarrassing nature of the facts of the case.
“What that shows me is Ms. Picard does sincerely recognize what has happened here,” the judge said of her willingness to complete community service.
“What I interpret from that is Ms. Picard’s willingness to give back to the community.”
Picard pleaded guilty in January to charges of assault and failing to provide the necessaries of life to her 77-year-old father.
Court heard caregivers found the elderly Calgary man on the basement floor of his daughter’s southeast home wearing a soiled adult diaper.
At the time, Picard was responsible for her father’s day-to-day care after he was moved to her residence, Spaner, reading from a statement of agreed facts, told court at the time.
“He had a number of medical ailments, including non-insulin dependent diabetes, coronary artery disease, some early onset dementia-like symptoms and chronic alcoholism,” Spaner said.
“(He) had been living independently in a Calgary apartment building. Family members became concerned that he was not caring for himself safely.”
With the help of Alberta Health Services he was moved to a home where Picard resided.
A registered nurse assigned to his care attended the 38 Street S.E. home on Nov. 15, 2021, to drop off food bank supplies for him and was told he was sleeping downstairs.
When the nurse called about an hour and a half later and spoke to the man on the phone he said he was lying on the floor, had fallen and was unable to get up.
When she returned to the home with a co-worker she found the victim lying on his back on the floor.
“(He) said that he had been lying on the floor for two days,” Spaner said.
Leochko said Picard was overwhelmed by the situation she was thrust into.
“It really was more than she could handle,” he said.
|
|
@juanhall: I gotta say, this was the most interesting bike in this post….love that Intense is experimenting with gearboxes…I can see it have a huge effect on DH bikes….thank god there’s still people pushing things. Now, they need to make an Enduro bike with the Pinion MGU!
|
|
The City of Pointe-Claire would like to inform you that the Bob-Birnie arena will be closed for its annual maintenance as of Monday, April 29. The Annex rink will reopen to the public on Monday, May 13, and the arena’s Main rink will be accessible as of Monday, June 3.
Public skating will resume on May 13, and the summer public activities programming will begin on June 3 when both rinks have reopened to the public.
In addition to the annual maintenance of the facility, two renovation projects are also scheduled to start at the same time:
Installation of new sound systems
The City will be replacing its current sound systems in both the Main rink and Annex rink, to offer arena visitors a better overall experience, whether watching from the stands or participating in on-ice activities. This project is expected to be conducted throughout the month of May.
Renovation of locker rooms in the Main Rink
The City will also be renovating the five locker rooms located in the Main rink, to bring up to date the amenities currently available to participants. These renovations are expected to begin in early May and will be completed by mid-August.
For all information about the Bob-Birnie arena, visit the arena’s page on our website.
Remnants of bird flu virus found in pasteurized milk, FDA says
Amid concerns over ‘collateral damage’ Trudeau, Freeland defend capital gains tax change
Random: We’re In Awe of Metaphor: ReFantazio’s Box Art
The unmissable events taking place during London’s Digital Art Week
How Michael Cohen and Trump went from friends to foes
Surprise Apple Event Hints at First New iPads in Years
NASA hears from Voyager 1, the most distant spacecraft from Earth, after months of quiet
Vaughn Palmer: B.C. premier gives social media giants another chance
