Android discovery nets security researcher $70,000 bounty • The Register


In short A security researcher whose Google Pixel battery died while texting is likely grateful for the outage — powering it back on led to a discovery that landed him a $70,000 bounty from Google for a lock screen bypass bug.

Now fixed, the vulnerability would allow anyone with a spare SIM card and access to a device to completely bypass the lock screen, giving them unrestricted access to the device.

Hungarian security researcher David Schütz said in a blog post that he made the discovery by turning on his Pixel 6 and forgetting his SIM card PIN, forcing him to dig up the personal unlock key, or PUK. , which would allow him to reset the PIN. After a reboot, his phone repeatedly stuck at a “Pixel is starting up” screen.

Schütz tried to reproduce the problem, but on one occasion he forgot to restart the phone. “Like I did before, I entered the PUK and chose a new PIN. This time the phone crashed and I was on my personal home screen,” Schütz said.

After a few more attempts, Schütz said he was sure to have a “complete bypass of the lock screen, on the [at the time] Pixel 6. Got my old Pixel 5 back and also tried to reproduce the bug. It worked too.”

The problem was caused by Android calling a .dismiss() function each time the SIM PUK was reset. Schütz said what Android appears to have done was close the screen prompting to reset the PUK, while accidentally only sending that request when the PUK reset screen was already gone. Since the active security layer below was all that was left, Android discarded it without realizing the error.

Schütz said Google quickly triaged the issue when it submitted it, but then remained silent for several months. After asking for a follow up, he was told the issue was a duplicate. Google later admitted that while its bug was a duplicate, it was only because of its report that the company took action and fixed it in Android’s November 5 security update. .

As a duplicate, Google couldn’t award the full $100,000 a bug of this severity deserved, but the company decided to give him $70,000 since he prompted him to take action.

Phishing Gang Royally Ups Their Game

A threat actor known to Microsoft as DEV-0569 is said to have stepped up their game by switching from phishing and spam emails to using more dangerous tactics, and possibly even selling access to ransomware operators trying to deliver a new strain of ransomware known as Royal.

DEV-0569 shows a continued pattern of innovation, Microsoft said, making these latest pivots just one in a long line of tactics the group has adopted and payloads it has deployed.

Recently adopted tactics that Microsoft has spotted include using contact forms on targeted websites to provide phishing links, hosting fake installer files on fake download sites as well as legitimate repositories, and extending malvertising activity to Google ads, “effectively intermingling with normal ad traffic,” Microsoft said.

Regarding the deployment of Royal ransomware, Microsoft said that instances of DEV-0569 infection chains “ultimately facilitated human ransomware attacks distributing Royal”, but the company does not say categorically that DEV-0569 is behind the attacks.

The group will likely continue to rely on phishing and malvertising. Microsoft recommends protecting systems accordingly; for example, updating systems, blocking certain web traffic, etc.

Another Booz Allen employee caught smuggling data

Booz Allen Hamilton Holding Corporation, former employer of former NSA contractor and Russian citizen Edward Snowden, told its employees that before leaving the company, one of their colleagues ran away with a copy of a report containing their personally identifiable information.

A lot.

“Based on our review, personal information was exposed including: your name, social security number, compensation, gender, race, ethnicity, date of birth, and eligibility for leave. government security clearance and your status as of March 29, 2021,” the company said. said in a standard letter [PDF] he sent to employees.

The company does not believe the employee intended to misuse the data and considers the threat to its employees to be low. Nevertheless, Booz Allen offers two years of Equifax credit monitoring to employees just in case.

Booz Allen, you may recall, was Edward Snowden’s employer when he leaked details of NSA spy operations to the press in 2013. Nor is he the only High-profile leak incident Booz Allen had: Three years after the Snowden case, another employee was caught with classified documents he had taken home by the intelligence contractor.

Now may also be the time for Booz Allen to consider changing his hiring process. ®