New Android Lock Screen Bypass Vulnerability Exposed

New Security Flaw Discovered

Security researcher Jose Rodriguez, known online as @VBarraquito, has identified a significant lock screen bypass bug in Android 13 and 14 devices.

This vulnerability could expose sensitive data stored in people’s Google accounts. The bug Rodriguez discovered lets attackers with physical access to a device bypass the lock screen and access personal data, including photos, browsing history, and contacts.

Google's Awareness and Inaction

Interestingly, Rodriguez initially sought a way to open Google Maps links directly from the lock screen. His explorations led to the discovery of this vulnerability.

More concerning is Rodriguez's claim that Google has been aware of this issue for at least six months without taking action. As reported by the researcher, Google acknowledged the issue in May, but no security update to address the flaw had been scheduled even by the end of November.

Exploit Scenarios and Risks

The vulnerability presents two main scenarios, based on the user's configuration of Google Maps. In the first, where Driving Mode is not enabled, attackers can access and share recent and favorite locations, as well as contacts.

The second, more complex scenario involves chaining another exploit to access and publish photos, extensively manipulate the Google account, and potentially gain full account access. Rodriguez urges Android users to test this lock screen bypass on their devices and report their findings.

Previous Incidents and Google's Response

This is not the first lock screen bypass incident on Android. Last year, David Schütz discovered a similar issue on Google Pixel devices.

An attacker could swap the SIM card of a locked Google Pixel device with one where the PUK code was known. This allowed the bypassing of the lock screen - a significant security flaw that required minimal technical skill to exploit.

Google's response time to such vulnerabilities has been notably slow, with the previous incident reported in July but only addressed in November with a security patch.

This pattern raises concerns about the tech giant's commitment to promptly addressing security flaws that put users at risk.