Security News > 2022 > November > Dangerous SIM-swap lockscreen bypass – update Android now!

According to Schütz, he stumbled on a total Android lockscreen bypass bug entirely by accident in June 2022, under real-life conditions that could easily have happened to anyone.

In Schütz's case, it was the humble PIN on his SIM card that stumped him, and because SIM PINs can be as short as four digits, they're protected by a hardware lockout that limits you to three guesses at most.

To protect against PUK guessing attacks, the SIM automatically fries itself after 10 wrong attempts, and needs to be replaced, which typically means fronting up to a mobile phone shop with identification.

As you probably know from the many times we've written about lockscreen bugs over the years on Naked Security, the problem with the word "Lock" in lockscreen is that it's simply not a good metaphor to represent just how complex the code is that manages the process of "Locking" and "Unlocking" modern phones.

Schütz was able to parlay his inadvertent PUK discovery into a generic lockscreen bypass by which anyone who picked up a locked Android device could trick it into the unlocked state armed with nothing more than a new SIM card of their own and a paper clip.

In case you're wondering, the paper clip is to eject the SIM already in the phone so that you can insert the new SIM and trick the phone into the "I need to request the PIN for this new SIM for security reasons" state.

News URL

https://nakedsecurity.sophos.com/2022/11/11/dangerous-sim-swap-lockscreen-bypass-update-android-now/