"My hands started to shake at this point..."

Skeleton Key

David Schütz, a bug hunter, discovered a clever way to unlock any Google Pixel phone without a passcode — and the vulnerability may affect swaths of other Android phones as well.

According to a post on Schütz's blog, the vulnerability is exploited by using another SIM card. First, a hacker with physical access to the phone would input three incorrect fingerprint scans, causing biometrics to be disabled.

From there, a hacker would remove the original SIM card and replace it with their own. They would then input the wrong PIN to unlock the foreign SIM.

This causes the phone to instead ask for the SIM's PUK code, or Personal Unlocking Key, which the hacker would know since they've placed in their own SIM. When that's inputted, the phone inexplicably unlocks to the home screen.

And this was no fluke: Schütz says he was able to replicate this multiple times, both on a fully updated Pixel 6 and an older Pixel 5.

"My hands started to shake at this point," Schütz said in the post. "'What the f**k? It unlocked itself?'"

Left On Read

Schütz sent in the report almost immediately. To Google's credit, he says Google flagged it and filed it in 37 minutes. But after that, "the quality and the frequency of the responses started to deteriorate."

"After it got triaged, there was basically a month of silence," he wrote.

Eventually, Google contacted Schütz in a formal email saying the bug had already been reported by someone else and that he wouldn't get any reward money — a brusque dismissal, considering that it was his report that prompted them to address the bug.

Two months later after a September security update and still with no follow up from Google, Schütz tried to reproduce the bug again. It still worked. Deciding that he had enough, Schütz showed the vulnerability to Google engineers in person. That finally got their attention.

"After I started 'screaming' loudly enough, they noticed," Schütz said.

His persistence earned him a reward of $70,000, with a fix now reflected in the company's source code — but if you ask us, he should've gotten the full $100 grand.

More on Google: Google Engineers Joked About How Incognito Mode Isn't Very Incognito

Share This Article