The big reason to immediately update to the November security patch – besides being the first one for the Pixel 7 – is that it contains a bug fix for a security issue that can unlock and bypass your Pixel phone’s lockscreen. 

David Schütz discovered the issue (CVE-2022-20465) and says an “attacker with physical access [can] bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device.” 

In the demo video below, we see a locked device with biometrics disabled from several incorrect tries. Swap out the SIM and then you’ll have to “Enter SIM PIN.” After three wrong PIN attempts, users are asked for the PUK code, which you’ll be aware of since it’s your SIM card. 

Following successful entry, you enter a new PIN code for that SIM card and the phone will unlock to your homescreen with full access. 

Since the attacker could just bring his/her own PIN-locked SIM card, nothing other than physical access was required for exploitation. The attacker could just swap the SIM in the victim’s device, and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.

Schütz reported this unlock bug to Android’s Vulnerability Rewards Program in the middle of this year, but Google did not move on the Pixel lockscreen issue until September (after some in-person prompting). It resulted in a $70,000 reward and is listed in the November security patch under a “System” issue with “High” severity.” The company additionally lists Android 10, 11, 12, 12L, and 13 as the “Updated AOSP versions.”

The November security patch is currently available for the Pixel 4a and newer. Google’s technical fix is listed here.

More on Pixel:

FTC: We use income earning auto affiliate links. More.


Check out 9to5Google on YouTube for more news:

You’re reading 9to5Google — experts who break news about Google and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Google on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Abner Li

Editor-in-chief. Interested in the minutiae of Google and Alphabet. Tips/talk: abner@9to5g.com