After the sim was locked, David Schütz accidentally discovered that changing the sim could cause the Google phone to not ask for the password to unlock the device.

David Schütz said he has been reporting to Google since June, but was only fixed on November 7. Schütz recommends that Android users update to the latest patch for their devices to avoid unauthorized access to their devices.

This vulnerability makes it possible for many models to unlock the screen by inserting another sim and performing 5 simple steps in a few minutes.

Accidental discovery

Despite being a security expert, David Schütz did not directly research the Android operating system , but discovered this vulnerability by accident using the Pixel 6. After one battery drain, the phone reboots. requires the user to enter the sim's PIN. Due to not remembering and entering incorrectly 3 times, Schütz is sim locked and has to enter the PUK code if he wants to unlock it.


PUK is an 8-character sim protection code, usually printed on the sim cover when a user buys it from a carrier. This security researcher said he had to find the sim cover and enter the PUK code, and change the new PIN to unlock the subscription. However, what surprised Schütz was that after unlocking the sim, the Pixel 6 only asked him to use his fingerprint to unlock the device.

"This shouldn't have happened. Because after rebooting, the devices will ask the user to enter the unlock password at least once to decrypt," said Schütz. Entering the password after the reboot is also a mandatory process on any device running iOS or Android today.

The researcher then repeats the process several times to confirm the error and make a report. In one "forgot" reboot, he discovered that the device didn't even ask for a fingerprint, but allowed users to directly access the home screen with just the sim unlock code.

The Bleeping Computer site assesses that the vulnerability can only be exploited if an attacker takes control of the hardware device. However, they will have a big impact in some cases like stolen machines or law enforcement agencies investigating crimes. The FBI once had to fight with Apple to do the same.

According to Google's announcement, this vulnerability affects all devices running Android versions 10, 11, 12 and 13 if the 11 patch has not been updated. To exploit, crooks only need to use their sim card. them (which are already available but PUK), intentionally enter the wrong fingerprint and PIN many times to get the sim locked, then enter the PUK code to unlock the sim, thereby gaining unlimited access to the device.

Google delay

According to security experts, Android's mechanism uses layers of "security screens", such as the password screen layer, the fingerprint scanning screen, the PIN code entry screen, and the PUK code, and are stacked. When the user enters the correct password of a certain screen layer, the "dismiss" function will be called to skip that screen layer.


However, there is a conflict in the "dismiss" function calls, causing the function to be called twice by the sim state monitor and the PUK component. This causes the operating system not only to turn off the PUK security screen, but also to bypass the next layer of security, "keyguard", leaving all layers of protection behind.

It took Google more than five months to fix this issue.

According to David Schütz, when he discovered the vulnerability in June, he reported it to Google and was immediately taken over by the Android VRP department. Schütz plans to share his findings on his personal blog soon after Google releases the patch, and may also receive a reward from Google's security bug hunting program. With the above impactful vulnerabilities, the first person to report can receive 100,000 USD.

However, a month later, he received a notification that the vulnerability had been reported by another researcher first and that Google was working on a fix. This means that Schütz is not rewarded and cannot publish the vulnerability.

Two months later, while attending a Google security event at the company's office, Schütz discovered the bug had not yet been fixed. The researcher then spoke directly to some people in the Android VRP department and pressured to fix it soon, or else he would make them public by the end of October.

Finally, the vulnerability was announced by Google in early November, with the codename CVE-2022-20465. Schütz was not the first to discover it, but was awarded $70,000 for his reports. Users of Android devices, especially Pixel devices are recommended to update the operating system to the latest version to fix errors.