A security researcher was paid $70,000 by Google for reporting a security bug that made it possible for anyone to hack into the phones.
The lock screen bypass bug is a local escalation of privilege bug because it allows someone with the device in their hand to access the device's data without having to enter the lock screen's password.
David Schtz, a researcher from Hungary, said the bug was easy to exploit and took about five months to fix.
Schtz found that anyone with physical access to a phone could swap in their own sim card and enter a recovery code. Schtz wrote a post about how he found the bug and reported it to the team.
These days a fingerprint or face print is a good way to protect your phone from unauthorized access. The PIN code on your phone's sim card can be used to stop a thief from taking your phone number. If the user enters the PIN code too many times, the PUK can be used to reset the card. The easiest way to get a PUK code is to get it from the cell carrier's customer service.
The bug meant that Schtz was able to trick his phone and data into being unlocked without ever seeing the lock screen. He warned that other devices could be vulnerable as well.
Physical access to the phone is required since a malicious actor can bring their own sim card. Schtz said that the attacker could perform the exploit with a sim card that had a PIN lock and for which the attacker knew the PUK code.
Since a successful exploit would allow access to a device's data, security researchers can be paid up to $100,000 to report bugs. Cellebrite and Grayshift use software exploits to build and sell phone cracking technology to law enforcement agencies. While Schtz's bug was marked as a duplicate by the search engine, it was not possible to reproduce or fix it.
The bug in the security update was fixed in November of 2022. Schtz exploited the bug in his video
Inside TheTruthSpy, the stalkerware network spying on thousands