The researcher, who managed to pass the Android lock screen without a password, made a small fortune from Google

Google paid a security researcher $70,000 for privately reporting a security bug that allowed anyone to unlock Google Pixel phones without knowing their password

The lock screen bug, called CVE-2022-20465, is described as a native privilege escalation bug because it allows someone in possession of the device to access the device’s data without having to enter the lock screen. Hungarian researcher David Schütz said exploiting the bug was extremely simple, but it took Google about five months to fix it.

Schütz discovered that anyone with physical access to a Google Pixel phone can replace their SIM card and enter the preset recovery code to bypass the Android operating system’s lock screen protections. Saying that the bug was fixed in a blog post about the bug, Schütz explained how he accidentally found the bug and reported it to Google’s Android team.

Android lock screens use a numeric passcode, passcode, a pattern or fingerprint or facial recognition to protect users’ phone data. SIM cards also have a PIN code protection aimed at preventing a thief from using the phone. If a user enters the wrong PIN more than three times, SIM cards have an additional personal unlock code or PUK. PUK codes are usually printed on the SIM card package or can be obtained directly from the mobile operator’s customer service.

Schütz realized that this error meant that entering the PUK code of the SIM card was enough to unlock his phone and its data without visually showing the lock screen at all, fooling the fully patched Pixel 6 phone and the older Pixel 5. He also noted that other Android devices may also be vulnerable.

If a malicious person uses their own SIM card and knows the corresponding PUK code, they can only unlock the phone with physical access.

Google pays security researchers up to $100,000 to privately report bugs that could allow someone to bypass the lock screen. In this case, Google paid Schüttz $70,000 and fixed this Android bug with a security update released on November 5, 2022 for devices running Android 10 to Android 13. You can see how Schütz uses this error in his video below.