Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author completely forgot their SIM pin on their phone. Since they were tired, they forgot the PIN 3 times and had to use the PUK code to unlock the device in order to get it to work again. They used this, set a new PIN code and all was good. Or was it?

Upon the fresh boot the fingerprint icon was showing instead of a lock screen PIN or a password to decrypt the device. Is this real life? After coming across this anomaly as a hacker, they decided they had to replicate this issue. They played around with variations of what they had done. Turn off the phone, change SIM... until they found something that was consistent.

The attack goes as follows:

1. Force the phone to require a SIM card PIN code.
2. Replace the SIM card in the phone toin order to know the SIM code.
3. Use phone SIM code incorrectly 3 times.
4. Enter in the SIM code.
5. Lock screen is bypassed!

The bug had already been reported to Google but couldn't be reproduced. After showing this to a Google engineer at a bug bounty conference, they decided to reward this engineer with the bounty since the issue was now reproducible. How does a bug come across like this? Surprisingly, this was a very complicated fix.

When a security screen (password entry screen, SIM PIN, etc.) is rendered, it is essentially put onto a stack of devices on top of each other. When a security screen was done, it would call the dismiss() function to get rid of the current screen. But, this was vulnerable to a race condition. Something in the background was changing current screen state to the original, while the dismiss() call would remove the new current screen!

By entering in only the one PIN code for the SIM, it would sometimes bypass the lock screen PIN as well. A pretty crazy bug! In order to fix this, the calls to dismiss() are now targeted at a particular screen and not generic. For instance, you would dismiss the SIM PUK screen instead of the screen in general.

Overall, great write up with a fun story to tell! To me, takeaways are be observant and look into weird things that happen. Second, be persistent, as you may get the bounty if you provide more service than the other hacker.