Google Pays $70,000 Reward for Simple Android Lock Screen Bypass Bug

Total times read this article : 5

Security researcher David Schutz(Opens in a new window) discovered an easy Android lock screen bypass by accident after he managed to lock himself out of a Pixel 6 smartphone.

The vulnerability was found after Schutz had spent an entire day traveling and his phone battery died. On plugging the charger in, the phone asked for his SIM’s PIN code, which he didn’t know and was therefore locked out. Three failed PIN code attempts later and the phone then asked for the SIM’s PUK code, which is found on the packaging the SIM arrives in.

Schutz found the PUK code, entered it into the phone, and was asked to set a new PIN. On doing so, he noticed the fingerprint icon was displayed instead of the lock icon. The phone then accepted his fingerprint, but got stuck on a “Pixel is starting…” message.

Further investigation(Opens in a new window) revealed he could follow a sequence of steps, including hot-swapping the SIM tray, and bypass the lockscreen completely. The process for achieving that is shown in the video above, and it works for all Google Pixel phones.

Thankfully, the bypass has now been fixed as part of the Nov. 5, 2022 security update. When Schutz originally filed his bug report the Android reward amounts table(Opens in a new window) suggested he could be in line for a $100,000 reward. However, the bug was subsequently marked as a duplicate, meaning he’d get nothing. That wasn’t the end of the story, though.

Recommended by Our Editors

Schutz reported the bug in June(Opens in a new window), a month later is was marked a duplicate, but when the September security patch was released the bypass could still be used. Schutz was at Google’s ESCAL8 event in London at the time so decided to demonstrate the bypass on the Pixel phones at Google’s office.

The Android Vulnerability Reward Program team took notice, listened to the whole story regarding the bug, and a fix was planned for November. Schutz ended up receiving a reward of $70,000 because even though his bug was a duplicate, “it was only because of my report that they started working on the fix” so the VRP team made an exception to the rules and paid him a generous sum.

PCMag Logo Google’s Pixel 7 and Pixel 7 Pro Reviewed
What’s New Now to get our top stories delivered to your inbox every morning.”,”first_published_at”:”2021-09-30T21:30:40.000000Z”,”published_at”:”2022-08-31T18:35:24.000000Z”,”last_published_at”:”2022-08-31T18:35:20.000000Z”,”created_at”:null,”updated_at”:”2022-08-31T18:35:24.000000Z”})” x-show=”showEmailSignUp()” class=”rounded bg-gray-lightest text-center md:px-32 md:py-8 p-4 mt-8 container-xs” readability=”30.769230769231″>

Get Our Best Stories!

Sign up for What’s New Now to get our top stories delivered to your inbox every morning.

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.

Facebook Comments Box

Hits: 0

RELATED ARTICLESMORE FROM AUTHOR