Google has paid David Schütz, a hacker and security researcher, $70,000 for discovering and disclosing a Google Pixel lock screen bypass bug. The bug affected all Pixel phones and has since been resolved. Although it was not an official Android bug bounty listed by Google, the company decided to reward Schütz for his responsible disclosure nonetheless.
The vulnerability, officially tracked as CVE-2022-20465, was disclosed in June 2022 and remediated as part of the November 2022 Android OS update.
Schütz explains on his blog that any Pixel device, prior to the update, he was able to bypass the lock screen protections (fingerprint, PIN, etc.) and gain complete access to the user’s device.
Of course, this required physical access to the Pixel phone, a SIM card, and the PUK code.
The origin of the discovery stems from Schütz forgetting his SIM pin. He needed to enter his correct SIM pin to unlock his phone, and entered the wrong answer three times, thus locking the SIM. The device now was asking for the PUK code to unlock and work the phone properly again.
Except, now after restarting the device, a fingerprint icon was showing—which shouldn’t be. It accepted David’s fingerprint and enrolled it on the device.
The screen then displayed “Pixel is starting…” and restarted the Pixel phone once more.
It didn’t occur to Schütz until the next day the serious security implication.
After going through the process again, he made one change: he didn’t restart the Pixel phone where he forcibly restarted it the day prior. This now allowed him to enter the PUK code, choose a new pin, and he was on his personal home screen.
He had unlocked access to the phone simply by re-inserting the SIM tray, resetting the PIN, and he was on the home screen.
Impressively, Google triaged and filed an internal bug within 37 minutes of Schütz reporting his finding to Google. It was not yet resolved, however.
In September 2022, Schütz attended a Google bug hunter event called ESCAL8 in London. He was still able to perform the lock screen bypass at this time.
He proceeded to demonstrate the bypass process to Googlers at a local Google London office. He stressed a responsible disclosure deadline of October with Google, while Google had insisted on a December deadline. Schütz, uncomfortable with the length of time it was taking to resolve the bug, stuck to his initial October deadline.
It turns out, Schütz’s finding was a duplicate according to Google, but it was only because of his report that they started to work on it. While the bug was officially listed on Google’s bug bounty website for $100,000 reward, they decided to reward Schütz with $70,000.
Schütz reflects that it was an overall positive experience with Google, despite the initial follow-up severely lacking in urgency. “After I started screaming loudly enough, they noticed and really wanted correct what went wrong. In the end, I think Google did pretty well, although the fix timeline still felt long for me,” Schütz states on his blog.
The full conversation on the fix is available here and his personal blog.
Disclaimer: The author of this article is a current employee of Google. This article does not represent the views or opinions of his employer and is not meant to be an official statement for Google, or Google Cloud.
