Google Pixel phones were recently updated with a fix for a security flaw that allowed a user to bypass the lock screen, after it was reported by a security researcher. The company announced earlier this week that it had begun globally rolling out the November Android update for the Pixel smartphones running on Android 13. This update will be made available to Pixel users gradually over the next few weeks. Apart from bringing fixes and improvements, this update also includes the November 2022 Android security patch, which includes a bug fix that resolves a security issue that allows people to bypass the lock screen using a SIM card.
Security researcher David Schütz discovered a security flaw, tracked as CVE-2022-20465 in the November 2022 Android security patch update. It allowed an attacker with physical access to a Pixel smartphone to bypass lock screen security measures such as fingerprint, PIN, and pattern.
Schütz demonstrated the bug on the Pixel 6, which allowed people to bypass the biometrics by swapping out the SIM card and entering the SIM PIN incorrectly three times. The device would then ask for the Personal Unlocking Key (PUK) code.
Entering the PUK code correctly, the phone would ask for a new PIN code for that SIM card. The handset would then unlock and take users to the home screen with full access to the device.
Schütz had reported this bug to Google via the Android Vulnerability Rewards Program. After waiting for a few months, he was rewarded with $70,000 (roughly Rs. 56,57,000) for spotting the security flaw. It is now [listed] in the November security patch as a High severity system issue. It has also been included in the Android Open Source Project (AOSP) version of Android 10, 11, 12, 12L, and 13.
As mentioned earlier, Google has started rolling out the November 2022 Android 13 update, including the November 2022 Android security patch, for Pixel 4a and newer devices. You can check for this update by going to Settings > System > System update on an eligible Pixel smartphone.
Affiliate links may be automatically generated - see our ethics statement for details.