Idan aka yi amfani da su, waɗannan kurakuran na iya ba wa maharan damar samun dama ga bayanai masu mahimmanci ba tare da izini ba ko kuma gabaɗaya haifar da matsala
Kwanan nan labari ya bazu cewa An gano rauni a cikin Android (CVE-2022-20465) wanda ke ba ka damar kashe makullin allo musayar katin SIM da shigar da lambar PUK.
Matsalar saboda kuskuren sarrafa buɗawa bayan shigar da lambar PUK (Personal Unblocking Key), wacce ake amfani da ita don sake kunna katin SIM wanda aka katange bayan shigar da PIN na kuskure da yawa.
Don kashe makullin allo, duk abin da kuke buƙatar yi shine saka katin SIM ɗin ku a wayar ku, wanda ke da kariyar tushen PIN. Bayan canza katin SIM mai kariyar PIN, ana fara nuna buƙatun lambar PIN akan allon. Ee An shigar da lambar PIN kuskure sau uku, za a toshe katin SIM ɗin, dbayan haka za a ba ku damar shigar da lambar PUK don buɗewa.
Ya bayyana cewa madaidaicin shigarwar lambar PUK ba kawai yana buɗe katin SIM ɗin ba, amma yana kaiwa ga canzawa zuwa babban keɓancewa ta hanyar ƙetare mai adana allo, ba tare da tabbatar da shiga tare da babban kalmar sirri ko tsari ba.
Rashin lahani ya faru ne saboda kuskure a cikin haƙƙin tabbatarwa. na lambobin PUK a cikin KeyguardSimPukViewController mai sarrafa, wanda ke kula da nuna ƙarin allon tantancewa. Android tana amfani da nau'ikan allon tantancewa da yawa (na PIN, PUK, kalmar sirri, ƙirar ƙira, tantancewar biometric) kuma ana kiran waɗannan allon bi da bi lokacin da ake buƙatar tabbatarwa da yawa, kamar lokacin da ake buƙatar PIN da tsarin.
Idan an shigar da lambar PIN daidai, matakin tabbatarwa na biyu yana kunne, wanda ke buƙatar shigar da lambar buɗe master, amma da shigar da lambar PUK, an tsallake wannan matakin kuma ana ba da damar shiga ba tare da neman babban kalmar sirri ko tsarin ba.
An watsar da mataki na buɗewa na gaba saboda lokacin da aka kira KeyguardSecurityContainerController#dismiss(), ba a kwatanta hanyar da aka sa ran da aka wuce ba, watau mai sarrafa yana la'akari da canjin hanyar rajistan bai faru ba kuma duba cikar lambar PUK yana nuna nasarar tabbatar da iko. .
An gano raunin ta hanyar haɗari: wayar mai amfani da ita ta kare, bayan da ya yi caji ya kunna wayar, sai ya yi kuskure ya shigar da lambar PIN sau da yawa, bayan da ya bude PUK code kuma ya bude. ya yi mamakin yadda tsarin bai nemi babban kalmar sirri da ake amfani da shi wajen yanke bayanan ba, bayan haka sakon "Pixel yana farawa..." ya bayyana.
Mai amfani ya zama mai hankali, ya yanke shawarar gano abin da ke faruwa kuma ya fara gwada shigar da lambobin PIN da PUK ta hanyoyi daban-daban, har sai da ya yi kuskure ya manta da sake kunna na'urar bayan ya canza katin SIM kuma ya sami damar shiga cikin muhalli. maimakon daskarewa.
Abin sha'awa na musamman shine martanin Google ga rahoton rauni. LAn aika da bayanai game da matsalar a watan Yuni, amma sai a watan Satumba ne mai binciken ya sami cikakkiyar amsa. Ya yi la'akari da cewa wannan hali ya kasance saboda ba shi ne farkon wanda ya ba da rahoton wannan kwaro ba.
An tayar da zato cewa wani abu ba daidai ba ne a watan Satumba lokacin da matsalar ta kasance ba a gyara ba bayan an sake sabunta firmware kwanaki 90 bayan da aka bayyana lokacin rashin bayyanawa ya riga ya ƙare.
Tun da duk ƙoƙarin gano matsayin rahoton matsalar da aka ƙaddamar kawai ya haifar da samfuri da masu yin rajista ta atomatik, mai binciken ya yi ƙoƙarin tuntuɓar ma'aikatan Google da kansa don bayyana halin da ake ciki tare da shirye-shiryen mafita, har ma ya nuna rauni a ofishin Google na London.
Sai kawai bayan haka aikin don kawar da rashin lafiyar ya ci gaba. A lokacin binciken ya bayyana cewa wani ya riga ya ba da rahoton matsalar a baya, amma Google ya yanke shawarar yin keɓancewa kuma ya biya tukuicin don sake ba da rahoton matsalar, tunda godiya ce kawai ga jajircewar marubucin don gano matsalar.
An nuna ikon kashe makullin akan na'urorin Google Pixel, amma tun da gyaran ya shafi tushen codebase na Android, yana yiwuwa lamarin ya shafi firmware na ɓangare na uku kuma. An magance matsalar a cikin Tsarin Tsaro na Android na Nuwamba. Mai binciken da ya jawo hankalin jama'a ya samu kyautar dala 70,000 daga Google.
Source: https://bugs.xdavidhu.me