• GeneralSolved
  • Lockscreen bypass fixed in November's update - discovered by GrapheneOS in June

CVE-2022-20465 was patched in the previous GrapheneOS update as part of the included AOSP security patches.

Information about the discovery is posted on the projects Twitter account:

We independently discovered the Android lockscreen bypass fixed in Android's November security update while working on features like a duress PIN/password.
We had an initial patch developed by June 13 but by the time we submitted an upstream bug report, it was a duplicate issue.

A detailed explanation is included in our tweeted thread:
https://twitter.com/GrapheneOS/status/1591306063454031872 | nitter

akc3n stickied the discussion .

For how long was this vulnerability in Android? Was it introduced in one of the recent versions or was it in there for a long time? Checking the PUK of the SIM card sounds like a standard function that wouldn't change too often after being implemented?

    wonder75 to be honest, I don't recall specifically, but can easily be found on AOSP's git commit history. Possibly since Android 10.
    I could be wrong.

    The researcher who ultimately got paid $70,000 for reporting this vulnerability was initially told that it was a "duplicate issue", is this because GrapheneOS reported it first?

      IamDaedalus I'm led to understand that there was another report even before GrapheneOS figured it out. They told the dev who got the money that there was a duplicate report about it, but they also told the GrapheneOS team that there was a duplicate.

      Hi all

      Thank you all for your hard work to make GrapheneOS possible.

      My friends and I are using Pixel 3 and we understand that security updates have stopped for these devices.

      Does that mean these devices are regarded "unsafe" to use since pixel 3 will not be getting the Nov updates?

      Thanks

        7sec Pixel 3 and Pixel 3 XL have been end-of-life since after October 2021 and have not received many security updates since after that point. Please look at the security patch level in Settings: November 1st, 2021. You're over a year late to notice that the device is not regarded as safe to use. The first month without full security updates was November 2021, not November 2022. We continued shipping AOSP and GrapheneOS updates for those end-of-life devices until Android 13 was released in August 2022, at which point we switched to only shipping a smaller subset of patches. We did ship the lockscreen bypass patch for them but that doesn't mean you should be using them.

        11 days later
        akc3n unstickied the discussion .
        a year later