Submitted by redhatGizmo t3_yu1aeg in technology
Comments
masterhogbographer t1_iw7df4k wrote
Because it isn’t apple.
And I say that with zero intention on trying to start a flame war.
I say that because due to various reasons whenever apple has a flaw like this everyone knows about it very quickly after reported. And by everyone, I mean everyone.
There was a hands on device vulnerability in iOS last year or the year before, that my wife asked me about wondering if she needed to upgrade iOS asap. She is not tech savvy and I’m the only one in her life that is.
The inverse is, when there’s a similar exploit for non-apple devices, even people in the field can miss it. A friend of mine is a decent techie. Works in IT, and one of their specialities at the company he works for is security.
But the last few vulns for android that have popped up, I’ve been the one notifying him — he an android user and apple hater, me somewhat agnostic — of those vulnerabilities. Meanwhile, he texts me the instant there’s public word of an iOS or MacOS exploit lmao (not even joking, his hated is not healthy imo, but I guess tribalism is society these days…)
The sad part is, if this was apple, after just an hour this post would be front page back in June. And then there would be reposts of the same blog articles across dozens of subs that also would have been top of their sub with hundreds of comments and every month since June there’d have been more articles bubbling to the top with titles like “how hasn’t apple fixed this yet?” Or “Tim cook should resign in face of deflategate” wait that’s another thing entirely
RejZoR t1_iw7h9hz wrote
Thing with iPhones is, you know if you're affected or not. I've recently returned to Android and I have no clue if my Poco is affected or not. And knowing Xiaomi, it's either not affected because it's so modified or it is affected and won't be fixed even months after Google fixes it in AOSP repository.
[deleted] t1_iw7kf63 wrote
[deleted]
RejZoR t1_iw8gm8y wrote
Just out of curiosity if anything has improved. It mostly hasn't. Have plans to buy Galaxy S23 if it'll be any good, but couldn't wait for that long.
[deleted] t1_iw89i14 wrote
[removed]
Informal-Lead-4324 t1_iw7qhp6 wrote
Why is Apple so good?
I'm saying this as someone who thoroughly enjoyed the iPhone 3, 3g, and iPhone 4.
[deleted] t1_iw7rzkr wrote
[deleted]
Informal-Lead-4324 t1_iw7tfv8 wrote
What software is better on it?
And wym implementation
The only time I've delat with Apple support, it's been the phone(battery )breaking and them telling me to buy a new device lol. Fortunately they got sued for It I think
[deleted] t1_iw7w044 wrote
[deleted]
JazzioDadio t1_iw8gadf wrote
It's nitpicky but for the sake of accuracy it should be said that Google's Pixel phones have held the crown of best camera processing software for some time now.
With Apple's new(ish) custom silicon I'd agree that their implementation of certain features is still top notch, but they'll have to work to keep that lead.
terraherts t1_iw8m8dn wrote
Completely disagree on software.
Speaking as someone who owns an Android phone (Pixel), an iPad, a Windows PC, a macbook pro, and uses Linux for work, so I use a bit of everything.
They get a lot of low-level software stuff right, certainly, especially for a company that's making a lot of bespoke proprietary hardware. But their frontend and first party stuff is... not great.
iOS's notification system is still leagues behind Android, and I find the less I use Apple's first party software on macOS the better. "Ecosystem integrations" like sidecar are so unreliable that I've given up trying to use them, Stage Manager are really half-baked (iOS) or seem to duplicate existing features (macOS), etc. Settings and breadcrumbs on iOS are still a headache. iTunes is somehow still one of the worst interfaces I've ever used, people just don't notice as much because it's rarely needed anymore. Finder is still my least favorite default file manager across any desktop OS. Files on iOS only recently became what I'd consider non-alpha quality.
Main reason I have the macbook pro (M1) and iPad is the hardware. Apple's made some flubs on hardware too of course (most of the MBPs from 2016 up until the new M1's for example), but a lot of their more recent stuff is very solid on that front.
ll-0000-ll t1_iwbcnat wrote
The software is better because its much more optimized. Iphones have longer battery life than androids while having a smaller batter. How? Software. This is just an example.
OneAd3613 t1_iw8qmik wrote
Test it?
bengringo2 t1_iw7ycli wrote
I don’t understand it for the life of me. When I don’t use a company’s product I simply don’t think about them. I think some people just bask in schadenfreude as a hobby.
omniuni t1_iw8idl6 wrote
This is also an incredibly specific use case. You need to have the phone configured with a PIN locked SIM.
[deleted] t1_iw9a6cr wrote
[deleted]
Eskimoobob t1_iw87num wrote
Uh not to deflate you, but my work is predominantly apple and what I monitor for security flaws, but I utilize Android devices personally.
I naturally come across research for apple devices but we have no Android for our MDM so it isn't pertinent to our mission.
BasementDweller3000 t1_iw7o4l4 wrote
My Apple Watch can unlock my iPhone. Last week as I was putting on my Watch, I had my iPhone nearby and it unlocked my iPhone before I had a chance to unlock my Watch first.
Edit: Never mind. I was mistaken. See below.
Stingray88 t1_iw7p372 wrote
That’s not true, that’s not how it works at all.
Apple Watch can only unlock your phone if it is already unlocked. And it only tries to unlock your phone after it fails to unlock via FaceID because you’re wearing a mask or something.
BasementDweller3000 t1_iw7ph2w wrote
I know that’s how it’s supposed to work, but I saw it unlock my iPhone without the Watch not even being on my wrist yet.
Edit: Never mind. I was mistaken. After trying to replicate it a few times, it seems that what actually happened is I had my iPhone in front of me, my face unlocked the iPhone and then my iPhone unlocked my Watch the moment I got it in my wrist. I misread the notification telling me that my iPhone unlocked my Watch as if it were saying my Watch unlocked my iPhone.
Eskimoobob t1_iw87d55 wrote
Plenty of people are, you might just not roll with the cybersecurity crowds.
Filthy_Firestarter t1_iw8fth1 wrote
Especially when Google loves to slam others for vulnerabilities. Don't they just post the exploit if it isn't fixed in 2 or 3 month? God forbid when they have an issue though.
Torifyme12 t1_iw8h0jp wrote
They knocked that shit off quick when MSFT formed the "Fuck Google" research group.
​
Now they're (surprisingly /s) more flexible.
erosram t1_iw7g4ju wrote
Seems like a major over look on androids part. And now on the medias part.
Translationerr0r t1_iw7hb3t wrote
I hope you all noticed the "started from an unlocked state"-statement.
hildebrot t1_iw7om64 wrote
And it was only reproduced on two Pixel models, not Android as a whole as the title might mislead people to believe.
[deleted] t1_iw85oux wrote
[deleted]
FlaringAfro t1_iw88x6e wrote
Not fair. That wasn't in the first paragraph.
dingo1018 t1_iw845ue wrote
Still bagged the guy 70 large in reward money from Google, not a bad days work at all. Did I read that right 70 grand???
Hilppari t1_iw85j6h wrote
its alot more than two pixel models. other brands are affected. i've tested on zenphone 9 and even lineage OS. with latest updates. older phones that dont have any more updates are also affected.
killerjerick t1_iw8s6ln wrote
Classic that the top level comment and it’s most upvoted reply are completely false if you bother to read the article in its entirety, or you know, watch the video included…
[deleted] t1_iw85n72 wrote
[deleted]
prs1 t1_iw816rl wrote
They start from a locked state in the video.
killerjerick t1_iw8s1zm wrote
I hope you notice that you’re completely incorrect.
9-11GaveMe5G t1_iw9jinr wrote
If you read the full writeup by the guy who found it, he starts from a fresh, locked, encrypted reboot. You could hand me your phone off and I could do it.
[deleted] t1_iwaoaid wrote
[removed]
[deleted] t1_iw7xfww wrote
[removed]
twitterfluechtling t1_iw74t7q wrote
What about encrypted devices? I expect Android can't unlock the storage without the security code, so it should be logically impossible to dismiss that dialog and still start the device?
MindStalker t1_iw7d29x wrote
It looks like you don't need to shut down the device. So if it's already on when stolen your screwed.
davidemo89 t1_iw9168r wrote
You were screwed. They fixed it.
deserteagle_007 t1_iwahxf5 wrote
For anyone running Security patch November release. So most phones are still vulnerable besides Pixels
Alberiman t1_iwanpc8 wrote
Everything's coming up Millhouse!
[deleted] t1_iw8fac3 wrote
[removed]
ListRepresentative32 t1_iw79osw wrote
Yes, the bypass doesnt work after a fresh reboot. On a device that was atleast once unlocked after boot, it works no problem.
aredna t1_iwb86ee wrote
According to his blog it also works after a reboot and that's how he found it. He later found the reboot wasn't necessary. This made it more dangerous because you need less time to get in.
ListRepresentative32 t1_iwbw4cy wrote
Depends on what exactly works. The lock screen dismiss works everytime, that's true. But its of any use only if the device was previously unlocked with PIN/password after boot. Otherwise the phone is still encrypted and bypassing the screen is useless(you can't access any user data)
Translationerr0r t1_iw7hunl wrote
That's not how I read this: they started from an unlocked state to get passed the fingerprint unlock screen. Did I miss something?
[deleted] t1_iw85vkx wrote
[deleted]
Macluawn t1_iw9p8dy wrote
When a phone is rebooted, a password must be entered before touch id or face id will work.
In this context, "unlocked" doesnt mean you start from the home screen - it means the password was entered at some point since the phone was last booted up and is now in an unlocked state where touch/face id can be used.
Translationerr0r t1_iwaoczk wrote
Got it, thanks for clarifying.
Translationerr0r t1_iw7hnvf wrote
The article mentions you either run into fingerprint unlock screen (when starting from a locked screen or after restart) OR you start from an unlocked screen (which makes the hack just a waste of time as its already unlocked).
hildebrot t1_iw7oa9y wrote
Right, so for anyone who didn't read the article:
-
The only way to get inside the phone was either with a correct fingerprint OR if he started in UNLOCKED STATE. Meaning that this was all useless because why would you do all that if you already have access?
-
This was only possible on two Pixel phones, not Android as a whole. Kind of stupid to write a title like that.
synackk t1_iw7przs wrote
-
Unlocked state here means at some point the phone has been unlocked at least once for the encryption. If someone stole your phone after you’ve used it one, they’d be able to bypass the unlock screen.
-
That’s just what the discoverer of the exploit was able to test it on. There have been other reports it’s worked on non-pixel phones or custom android distributions.
Trev82usa t1_iw7upix wrote
Which has also been patched already
hildebrot t1_iw7w5jb wrote
>Unlocked state here means at some point the phone has been unlocked at least once for the encryption
That is not what the article says.
synackk t1_iw88blr wrote
That came from the original source: https://bugs.xdavidhu.me/google/2022/11/10/accidental-70k-google-pixel-lock-screen-bypass/
>>> As I did before, I entered the PUK code and choose a new PIN. This time the phone glitched, and I was on my personal home screen. What? It was locked before, right? This was disturbingly weird. I did it again. Lock the phone, re-insert the SIM tray, reset the PIN… And again I am on the home screen. WHAT? My hands started to shake at this point. WHAT THE F**K? IT UNLOCKED ITSELF?
Article could be wrong or wording it poorly
steak4take t1_iw9gxrc wrote
Bleepingcomputer misrepresenting information to sell ad Clicks? That's unpossible!
Dominicus1165 t1_iwamryl wrote
That’s why a video is embedded into the article.
The phone was unlocked. It is locked now and not restarted.
Fingerprint is disabled by failing too often.
oauth20 t1_iw74ia4 wrote
Possibly this was kept as backdoor for government agencies 👀
Lance-Harper t1_iw75jzo wrote
That’s conspiracy whilst google patched it last week.
If the gov REALLY wants something from you, there are many many other ways than asking a tech giant to manufacture a front door (because that’s not a back door), and making it look like a bug, only temporary.
simianire t1_iw7lwoz wrote
Whilst?
JazzioDadio t1_iw8go28 wrote
dictionary.com
_pelya t1_iw8h9q6 wrote
nyaaaa t1_iw9ke2w wrote
Nah, more likely the testers didn't bother with the PUK because they forgot that still exists.
WexfordHo t1_iw7ft1f wrote
As if 20 minutes with a rubber hose wouldn’t get the same results and more, for less money and exposure.
GrossCreep t1_iw7g6dr wrote
Or a pitcher of water and a towel
tlsr t1_iw7rq7g wrote
>accidentally finds a way
Whips out "attacker controlled sim"
KiraUsagi t1_iw8e27q wrote
The attacker controlled Sim is just there to show how an attacker would get in. You could do it with the Sim that was already in there but you need to know what the pku code is. This is how the researcher originally discovered the flaw.
MC68328 t1_iw7yzmx wrote
And every Pixel phone from the Pixel 4 and earlier will have this fatal flaw, since Google refuses to continue security updates.
Hewhoisnottobenamed t1_iw810fv wrote
Hey Now! We can't have people choosing not to upgrade their perfectly functional old phones to the newest and most expensive ones.
Complainer_Official t1_iw84x81 wrote
the new software is too demanding for old hardware.
although, it seems like it would add a few jobs for the economy if google had a division for keeping their old code up to snuff.
or even allow opensource devs to do it. that would be cool too.
JazzioDadio t1_iw8gvs3 wrote
That's an awfully convenient excuse. I'm sure if they wanted to they'd find a way to get new security updates on much older hardware, but they won't do that because then no one would abandon their otherwise perfectly functioning phones. And I say this as a lifelong pixel user.
sleepybrett t1_iw9dxhc wrote
Backport the patch the old versions of the OS. Apple has done this in the past when faced with similar issues.
the-samizdat t1_iw7nw28 wrote
What is an “attacker controlled sim”?
jdeezy t1_iw7h3vm wrote
What bout android 8?
Zingo_sodapop t1_iw8ipvi wrote
How about android 9 or 8?
SmegmaSmeller t1_iwamsll wrote
You're likely screwed at least for a while. Running android 11 and have no updates and no recent updates
[deleted] t1_iw74gyl wrote
[removed]
[deleted] t1_iw880po wrote
[deleted]
RipThrotes t1_iw8rit5 wrote
There is a way to bypass the lock screen while starting my Samsung Galaxy s10e.
When you boot up, it has to load all settings or something like that, and at the right point in boot up it will allow you to navigate the phone before everything has loaded.
It may push you to the lock screen once that has configured, I don't do it often, but it may be a legitimate variation of this "news" story.
SMHeenan t1_iw9176l wrote
For what it's worth, my Pixel did not notify me of this security update. I had to manually update my phone to get this patch.
skunksmasher t1_iw9izp9 wrote
Sweet Potato ?
Starr-Duke t1_iw9qr2k wrote
Can bypass my fingerprint scanner on my note 10 by turning on the screen and tapping the fingerprint sensor with anything while shutting the screen off at the same time. Works 1/10 or so times
joeg26reddit t1_iwa9so6 wrote
"when he tried reproducing the flaw without rebooting the device and starting from an unlocked state"
​
I found a way to by pass the lock screen
Step 1 ) Start from an unlocked state...
ZZ3xhZz t1_iwbkkpx wrote
"Android phone owner accidentally" Vs. "Cybersecurity researcher"
Thats a very deceptive headline - the first one implies an everyday joe, and the second one implies a highly specialized expert in the field.
You also need access to the PUK, not something you'd have easy access to unless you already have nefarious ways to access that from the service provider.
This only applies to 2 specific models of phones - the 1000s of other android devices not affected.
TheElusiveFox t1_iw8nz2s wrote
By Android phone owner, they mean Security researcher, and by accidentally, they mean this convoluted 5 step process...
I'm not saying it isn't terrible that you could bypass the lock screen, but lets not pretend that some one just accidentally swiped diagonally or something and the phone opened.
Myte342 t1_iw9w066 wrote
Hurray the English language! In this instance 'by accident' would mean the person was not actively TRYING to find a way to bypass the lock screen, rather that he happened across it while doing something else. They did not use the term 'accident' to imply the guy dropped his phone and it unlocked. That the entire process involves a few steps does not invalidate that it was discovered 'by accident'.
Example: Post-It Note glue and WD-40 were so totally the intended results and not 'discovered by accident' while trying to create a completely different chemical than what resulted in their experiments so we should just ignore those inventions entirely and downplay their significance cause the inventor didn't just combine two chemicals together and snap his fingers to make something appear but because they both involve a complicated process of multiple steps they couldn't possibly have been discovered by accident.
No-Mission-962 t1_iw7n1oi wrote
Lol, its not as big people are making it to be. Basically the person needs to know the Sincard unlock code and even after that the device will ask for a fingerprint.
pickled-egg t1_iwbh9y8 wrote
No, that isn't how it works.
Watch the video, it has been demonstrated.
tsfbdl t1_iw82y8q wrote
Ehhh I don't even put a lock on my phone I'm mentally disabled and can't remember passwords easily everything I have is written on the phone and if I get locked out I'm screwed
[deleted] t1_iw8nb5w wrote
[removed]
[deleted] t1_iw78kly wrote
[deleted]
gizamo t1_iw7igdp wrote
...except the patch is already available for all Android devices running Android 10+, which includes all Pixel 4 devices.
random125184 t1_iw77gsu wrote
Reported in June. Not fixed until November. Holy shit. This is huge. Why is no one else talking about this?