Skip links

Serendipitous discovery nets security researcher $70k bounty

In brief A security researcher whose Google Pixel battery died while sending a text is probably thankful for the interruption – powering it back up led to a discovery that netted him a $70,000 bounty from Google for a lock screen bypass bug.

Now patched, the vulnerability would let anyone with a spare SIM card and access to a device to completely bypass the lock screen, giving them unfettered access to the device.

Hungarian security researcher David Schütz said in a blog post that he made the discovery when powering up his Pixel 6 and forgetting his SIM’s PIN code, requiring him to dig out the Personal Unlocking Key, or PUK, that would allow him to reset the PIN. After a reboot, his phone repeatedly hung on a “Pixel is starting” screen.

Schütz tried replicating the issue, but on one occasion he forgot to reboot the phone. “As I did before, I entered the PUK code and chose a new PIN. This time the phone glitched, and I was on my personal home screen,” Schütz said. 

After a few additional attempts, Schütz said he was sure he had a “full lock screen bypass, on the fully patched [at the time] Pixel 6. I got my old Pixel 5 and tried to reproduce the bug there as well. It worked too.”

The problem stemmed from Android calling a .dismiss() function whenever the SIM PUK was reset. Schütz said that what Android seems to have done was to dismiss the screen prompting the PUK to be reset, while accidentally not sending that request until the PUK reset screen had already disappeared. Since the active security layer underneath was all that was left, Android dismissed it without realizing the mistake.

Schütz said Google triaged the issue quickly when he submitted it, but it then sat silently for several months. After asking for a follow up, he was told that the issue was a duplicate. Later on, Google admitted that, even though his bug was a duplicate, it was only because of his report that the company took action and patched it in Android’s November 5 security update.

Being a duplicate, Google couldn’t award the full $100,000 that a bug of that severity deserved, but the company decided to give him $70,000 since he spurred it into action. 

Phishing gang Royally ups its game

A threat actor known to Microsoft as DEV-0569 has reportedly stepped up its game from phishing and spam emails to using more dangerous tactics, and even possibly selling access to ransomware operators trying to deliver a new strain of ransomware known as Royal. 

DEV-0569 shows a continual pattern of innovation, Microsoft said, making these latest pivots only one in a long line of tactics the group has adopted and payloads it has deployed.

Recently adopted tactics that Microsoft has spotted include using contact forms on targeted websites to deliver phishing links, hosting fake installer files on fake download sites as well as legitimate repositories, and expanding malvertising activity to Google ads, “effectively blending in with normal ad traffic,” Microsoft said. 

As for the deployment of the Royal ransomware, Microsoft said that instances of DEV-0569’s infection chains “ultimately facilitated human-operated ransomware attacks distributing Royal,” but the company doesn’t outright say that DEV-0569 is behind the attacks. 

The group will likely continue to rely on phishing and malvertising. Microsoft recommends protecting systems accordingly; e.g., updating systems, blocking certain web traffic, etc.

Another Booz Allen employee caught smuggling data

Booz Allen Hamilton Holding Corporation, former employer of ex-NSA contractor and Russian citizen Edward Snowden, has told its employees that, before leaving the company, one of their coworkers made off with a copy of a report containing their personally identifiable information.

Lots of it.

“Based on our review, there was personal information exposed including: your name, social security number, compensation, gender, race, ethnicity, date of birth, and US Government security clearance eligibility and status as of March 29, 2021,” the company said in a form letter [PDF] it sent to employees.

The firm doesn’t believe that the employee intended to misuse the data, and believes the threat to its employees to be low. Nonetheless, Booz Allen is providing two years of Equifax credit monitoring for employees just in case.

Booz Allen, you may recall, was Edward Snowden’s employer when he leaked details about NSA spying operations to the press in 2013. That’s not the only high-profile leak incident Booz Allen has had, either: Three years after the Snowden affair, another employee got caught with classified documents he’d sneaked home from the intelligence contractor.

Now may also be a good time for Booz Allen to consider changes to its hiring process. ®