Google awards hacker $70k for Pixel lock screen bypass bug discovery


“If you gave me any locked Pixel device, I could give it back to you unlocked,” hacker David Schütz said. Google fixed the bug in its November update.

The bug allowed a threat actor with physical access to Google Pixel phones to bypass the screen lock protections and gain access to the device, Schütz explained.

He discovered the bug after he forgot his PIN code. Schütz rebooted the phone, put in the incorrect PIN three times, was asked to enter the PUK code, chose a new PIN, and got to the “Pixel is starting…” state.

Once, he forgot to reboot the phone, locked the device, hot-swapped the SIM tray, and did the SIM PIN reset process.

“I didn’t even realize what I was doing. As I did before, I entered the PUK code and chose a new PIN. This time the phone glitched, and I was on my personal home screen. What? It was locked before, right?” Schütz noted on his blog.

At that point, after calming down a bit, he realized that this was a full lock screen bypass on his fully patched Pixel 6. Bug bounty hunter repeated the same process with his old Pixel 5 phone, and it worked, too.

“Since the attacker could just bring his/her own PIN-locked SIM card, nothing other than physical access was required for exploitation. The attacker could just swap the SIM in the victim’s device and perform the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code,” Schütz said.

He notified Google and found that the company had triaged & filed an internal bug within 37 minutes. Approximately four months later, Google patched the bug. Despite telling Schütz this was actually a duplicate, meaning someone had reported the flaw before Schütz did, the company rewarded him with a $70,000 bug bounty for the lock screen bypass.