David Schütz is a well-known bug hunter that publishes his discoveries via his blog. One of his recent updates describes how to unlock any Google Pixel phone without using a password very easily.
The post published on Schütz’s blog says that you can exploit the vulnerability by inserting a different SIM card into the phone. However, it’s necessary to disable the biometrics by inputting three incorrect fingerprint scans.
Once the biometrics are disabled, it’s necessary to remove the SIM card in use with a different one. You will then need to submit the wrong PIN with the intention of unlocking the new SIM.
This way, the phone will ask for the new SIM’s PUK code (Personal Unlocking Key). This information would be known to the person (or hacker) as they would’ve placed a SIM under their name. It’s not clear why, but after entering such information, the phone immediately unlocks.
According to Schütz, he was able to use the same method to unlock a Pixel 5 and a Pixel 6. The post says that he attempted to do the same thing “multiple times” on fully-updated Pixel phones.
Of course, Schütz reported that vulnerability to Google after he made his discoveries. Schütz says that Google responded within 37 minutes but that their responses started becoming infrequent and low-quality after a while.
Google contacted Schütz again via email to inform him that a different person had already reported the bug and that he wouldn’t receive reward money. Ironically, it was Schütz’s report that brought attention to the matter.
After two months, Google launched a security update, but the company didn’t make a follow-up regarding the bug. Schütz attempted to bypass the Pixel phone’s lock screen once more, and the bug still worked without issues. It was then that the company paid attention to the issue.
In the end, Schütz earned $70,000 for his report.
Sign up for our newsletter to get the best of The Sized delivered to your inbox daily.
