70K$ awarded to researcher for reporting Google Pixel vulnerability
A researcher recently discovered a vulnerability existing in all google pixel phones. This vulnerability gave the ability to unlock any locked pixel device. Reportedly, the security researcher of this vulnerability was paid 70K$ for identifying and reporting this vulnerability. This issue was pre-existing in all the pixel devices and this bug got fixed on 5th November 2022.
David Schütz, a security researcher from Hungary found that any attacker with physical access to bypass the lock screen security such as fingerprint, PIN, and patterns can easily take complete access to the user’s phone. The vulnerability is now present as CVE-2022-20465 and might be a matter of concern for other Android vendors also.
The exploitation of this vulnerability could be done in just a few minutes. The attacker only needs to have a PIN-locked SIM card, other than that physical access to the device is required. The attacker then requires the locked SIM in the user’s device and executes the exploit with a SIM card that had a PIN lock and for which the attacker knew the correct PUK code.
The PUK code (Personal Unblocking key) is a code of 8 digits. This code can be found on either the SIM or the SIM packaging. This code can be used to unblock the SIM card if a user has entered an incorrect PIN code. A card that gets blocked by the PUK code cannot be unblocked and it cannot be used.
The security researcher reported this bug to Google however the response he received was not satisfactory. Apparently, he had also checked the rewards table for reporting lock screen bypass and was surprised with the bounty amount. As per the rewards table, a researcher could get a maximum of $100K bounty. The researcher was thrilled thinking he is about to receive a bounty of $100K.
The researcher waited for a month to get an acknowledgment from Googlers but to his disappointment, he got to know that his ticket might be closed as a duplicate. He received a mail after 31 days of reporting “The Android Security Team believes that this is a duplicate of an issue previously reported by another external researcher.”
Days passed by and after 2 months, the security researcher asked for an update and received an automated response stating that the issue is being worked upon. Officially three months after this reporting, he attended Google’s bug hunter event called ESCAL8. He even presented a live demo of the vulnerability. This demo made the Googlers believe and finally care about the issue.
After months of pursual, his efforts paid off as he was awarded $70000 for lock screen bypass.