Blog Layout

“My hands started to shake at this point…”

Skeleton Key

David Schütz, a bug hunter, discovered a clever way to unlock any Google Pixel phone without a passcode — and the vulnerability may affect swaths of other Android phones as well.

According to a post on Schütz’s blog , the vulnerability is exploited by using another SIM card. First, a hacker with physical access to the phone would input three incorrect fingerprint scans, causing biometrics to be disabled.

From there, a hacker would remove the original SIM card and replace it with their own. They would then input the wrong PIN to unlock the foreign SIM.

This causes the phone to instead ask for the SIM’s PUK code, or Personal Unlocking Key, which the hacker would know since they’ve placed in their own SIM. When that’s inputted, the phone inexplicably unlocks to the home screen.

And this was no fluke: Schütz says he was able to replicate this multiple times, both on a fully updated Pixel 6 and an older Pixel 5.

“My hands started to shake at this point,” Schütz said in the post. “‘What the f**k? It unlocked itself?'”

Left On Read

Schütz sent in the report almost immediately. To Google’s credit, he says Google flagged it and filed it in 37 minutes. But after that, “the quality and the frequency of the responses started to deteriorate.”

“After it got triaged, there was basically a month of silence,” he wrote.

Eventually, Google contacted Schütz in a formal email saying the bug had already been reported by someone else and that he wouldn’t get any reward money — a brusque dismissal, considering that it was his report that prompted them to address the bug.

Two months later after a September security update and still with no follow up from Google, Schütz tried to reproduce the bug again. It still worked. Deciding that he had enough, Schütz showed the vulnerability to Google engineers in person. That finally got their attention.

“After I started ‘screaming’ loudly enough, they noticed,” Schütz said.

His persistence earned him a reward of $70,000, with a fix now reflected in the company’s source code — but if you ask us, he should’ve gotten the full $100 grand.

Share This Article

Slush’s startup pitch competition transformed into a political nightmare

By Laurence November 21, 2022
Usually, the winners of a pitching competition are bathed with accolades, media attention, and applause. After it’s done and dusted, all they have to think about is what to spend

Behind the Lawsuit Against Celebs Who Shilled FTX Before Its Spectacular Meltdown

By Laurence November 19, 2022
Above all else, FTX advertisements wanted you to know two things: that cryptocurrency is a force for good, and that you don’t need to be an expert to buy and

The best coworking spaces and cafés in Barcelona to code

By Laurence November 19, 2022
This article was originally published on .cult by Luis Minvielle. .cult is a Berlin-based community platform for developers. We write about all things career-related, make original documentaries, and share heaps

Experts Baffled by Why NASA’s “Red Crew” Wear Blue Shirts

By Laurence November 18, 2022
Okay, that’s a good question. Red Crew, Blue Crew Had it not been for the heroics of three members of NASA’s specialized “Red Crew,” NASA’s absolutely massive — and incredibly

3D-printed personalized meds are almost here, thanks to this Finnish startup

By Laurence November 18, 2022
Pharmaceutical manufacturing is closely linked to mass production. In order for medicines to be sold cheaply, they often have to be made in huge amounts. But what happens if you

Telsa Superfan Dismayed When He Pays for Checkmark and It Doesn’t Even Appear on His Profile

By Laurence November 17, 2022
“I’m in checkmark purgatory.” Checkmate They say “don’t meet your heroes,” but what’s even worse? When your hero buys Twitter, forces you and others to start paying eight dollars per
More Posts
Share by: