Android devices running Android 10 through 13 were recently patched by Google after a cybersecurity researcher accidentally found a major security flaw in the OS’ software. David Schütz – the man responsible for the find – was paid $70,000 by Google for reporting the security bug.
Android owners needn’t worry anymore. We can’t say the same for the past six months. As long as no strangers had access to your device, locked or unlocked, you should be good. The security flaw enabled anyone with physical access to bypass the device’s security code.
David Schütz found the flaw by accident while trying to access his own Pixel 6. After David’s phone died, he tried and failed to enter his phone’s SIM card pin three times before it locked him out. He found the PUK code, entered it and set himself a new SIM pin. After booting the phone, it took him directly to the fingerprint scanner lock screen – which shouldn’t happen. It’s meant to require a lock screen pin before accepting a fingerprint scan. This still had a level of security to it, but still meant something was off.
After messing around and hot-swapping SIM trays, David found a way to bypass the passcode entirely. This meant that any malicious ‘hacker’ would have been able to gain access to the device by using their own SIM and PUK codes. A few steps and five minutes later, the ‘hacker’ would have full access to the device.
David reported the bug, and Google began working on a fix right away. He managed to reproduce the bug on his older Pixel 5 with the same results. He warned Google that this could be affecting more Android devices, which didn’t spurn Google into releasing a fix any faster.
Six months later and the patch is finally released at the beginning of November. David received a $70,000 finder’s fee for his constant checkups at Google. Without it, the security flaw would still be on Android systems with no fix in sight.