Pixel Lockscreen Bypass due to Race-Condition in Dismissing PUK Screen ($70,000 USD)

We discussed this vulnerability during Episode 167 on 14 November 2022

Bit of a race condition leading to a lock screen bypass on Pixel devices.

The process of exploiting is to

  1. Lock the phone
  2. Hot-Swap SIM Card with a SIM locked with a PIN
  3. Enter an incorrect SIM PIN three times, leading to the SIM being locked until the Personal Unlock Key is used (PUK)
  4. Enter the PUK key
  5. Set a new SIM PIN
  6. Security dialogs will be dismissed and you will land on the homescreen

What happens here is made a bit more clear from the commit message. After the successful PUK unlock there are multiple dismiss() calls occur. At the same time, other parts of the system listening for SIM events recognize the PUK unlock and update which security screen should come next. If any of the dismiss() calls from the PUK controller happen after that update, they will end up dismissing the lock-screen.