Interview with Dávid Schütz From Szeged, Who Found a Bug That Google Paid 28 Million For

National

The security expert Dávid Schütz, only 21 years old, presented on his blog the method by which he bypassed and “hacked” the identification and access control system of Android phones. After some struggle, Google rewarded the solitary bug hunter with HUF 28 million, and this news ran all over the domestic press. Dávid’s world is global, he communicates in English, but the young man is from Szeged, so we were able to talk to him in Bárka.

His first mobile phone experience was not connected to a smart device, his father had a “dumb” Nokia phone, but with voice recognition. “Whatever we told it, the device replied that it would call the Óföldeák Pasta Factory. I wonder how many people called it in the end” – Dávid remembers the days when he was still in junior high school, and the pasta factory that still operates today, but he never called.

Around 2010, at the age of ten, he got his first mobile phone, which was already smart, and he kept that Samsung for 2-3 years. Dávid was born in Szeged, but at the time they lived in Hódmezővásárhely and he attended the Ferenc Liszt elementary school. He had about five singing lessons a week, and he also played the violin. In the end, it turned out that he did not become an expert on this. “We played a lot of video games on the computer. One of my friends, Laci programmed and developed accessories for them. He created small games within the game, and he pulled me in this direction, I tried to catch up, but programming was not easy” – he talks about one of the serious stages of “contagion”.

Dávid as a child

He adds that they also worked together a lot, he was faster than his friend and always said that this and that should be done. And Laci knew better how to do it, technically he was much ahead. They developed a website together in the school, you could vote on what kind of music was played at the carnival, and of course they played it with Laci. After elementary school, he was not accepted into the Ságvári high school in Szeged for computer science, which at the time affected him a little, but not much. He went to Tömörkény, studying English, and he admits that he didn’t have very good grades in high school. “Even then, I didn’t want to deal with something that I didn’t see the reason for. I know that this is debatable, and there are similar problems at the university”, says Dávid, who started the IT engineering major in Szeged in 2020.

IT security came up already at the beginning of high school, according to him, at that time he even consumed “questionably ethical contents” because they were really interesting from the point of view of hacking. There were some things that could be categorized as pranks, which he would definitely not do today.

Hardware in the flat – a long time ago

Around the tenth year of high school, Dávid began to consciously deal with the search for security flaws. “Companies announce their new products and wait to be hacked. And those who manage to find a loophole in the system are rewarded. This is a category of ethical hacking”, Dávid explains. “We find out that it is open, available to anyone – except for countries on the banned list – the minimum age is 13 and it is purely performance-based. In this profession, the output is the found security error, we can indeed be measured by performance” – says Dávid surprisingly consciously, whose first “visible” prize money was 2,000 dollars. Google publicly announces that if someone manages to crack it somehow, it will be appreciated and rewarded.

There is also a more closed, invitation-only circle, he also had one, but he doesn’t like it so much, because he can’t publish afterwards, and he prefers the latter. Dávid “by way of life” mostly looks for errors in web applications, but in this profession, chance can also play a big role. This is how the story of the 28 million forint mistake that ran throughout the Hungarian – especially online – press also began.

He came home from a long trip from San Francisco, his cell phone was dying so much that it turned off during an important message. He quickly put it on the charger, the device switched back on and asked for the SIM card code. “I was in a hurry, I wanted to finish the urgent message and I messed up the PIN code three times. The SIM card was disabled and the phone requested the PUK code. It was not easy to find the original packaging, it was a miracle that the SIM card box was found, with the PUK code that I entered. After that, the device asked me to choose a new PIN code for the SIM card, which I did. And then came the turning point”, Dávid recalls.

In San Francisco

His phone started behaving strangely. After switching on, you always need the unlock code for the mobile, the fingerprint is not enough, but in this case, it asked for the fingerprint, and then the device got into a strange, stuck situation, and the screen remained like that. Rebooting eventually solved everything, but he started nagging that this wasn’t normal behavior. It was suggested that this might not only be a functional error, but also a security problem. Of course, here it was necessary for him to work in the profession and to notice the problem at all.  “I felt a very strong internal pressure, I shouldn’t leave it at that, just like other times, I know it’s a bit of a compulsive urge”, Dávid admits, adding that he doesn’t want to leave a security error behind, he believes that he can’t do that. The next day, struggling a bit with himself, he began to look more intently at the mistake. “Then I noticed that if you don’t restart the phone and reset the SIM card code with the PUK code, the phone doesn’t freeze, but unlocks.”

“I couldn’t believe it, I tried again twice, at the end my hands were shaking a little. Then I looked at it on my old phone, I was able to do it, and I knew then that it was a cross-device bug,” he recalls, noting that it was one of the easiest bugs he found. An “attacker” can simply bring his own SIM card, for which he knows the PUK code, and by inserting it into someone’s phone, he can unlock the phone’s screen lock by repeating the above steps, without knowing the unlocking code. After an hour, he already notified Google, which means he submitted it almost immediately. They were quickly admitted within 34 minutes and after that it was very quiet.

Dávid keeping a speech in English

“They didn’t respond very well, a month later I received the message that the error had already been submitted by someone else. Since they only ever pay the first person to submit a bug, it was very likely that there would be zero money. But since the mistake was so serious, I forced it and asked about it several times. I’ve been hacking Google products for a long time, I tried them during one of their events in September, and it worked even on the latest version”, he says. The matter may have been accelerated by the fact that he produced the error live in front of Google’s engineers, albeit in slightly funny circumstances. There was no real ejector pin at hand and you had to use a normal pin to pop out the SIM card. With which he then stabbed his hand in such a way that it had to be bandaged. In the end, a lady’s earrings proved to be a useful and perfect tool for the purpose.

“In our profession, it is appropriate to wait 90 days, and we usually publish the error only after that, but we were already beyond that. I also reported this to Google, but they said it won’t be fixed until December. After that, they organized a conference call, they admitted that it was more urgent, and the error was corrected at the beginning of November”, says Dávid about the closure of the case. If someone has a system affected by the error running on their phone, it is worth updating it, and with the new version, it is no longer possible to hack their mobile so easily. If the phone shows an “Android security update” named “November 5, 2022”, then this bug has already been fixed. If it is earlier, it is not certain.

Young IT professionals

According to Dávid, there is a manufacturer that has not yet released this update, but he is confident that what is delayed will not be delayed. If you are a professional or want to know more about the details of troubleshooting, you can find the original blog post in English here. In addition to the 28 million story, one of the latest news about Dávid is that he has said goodbye to the Szeged Schedule Bot, which started from a simple idea born in April 2017, at a stop on Sajka Street, while waiting for the bus.

“I wanted to know when the bus was coming, but I only had the Messenger application on my phone.” I knew there were autoresponder Messenger chatbots and thought why not put the two together and make a bot that tells you the bus schedule and answers: when is the bus coming? Laci and I started the development the very same day, and within five days we were ready with the first working prototype” Dávid recalls.

They said goodbye after six years

The story could have ended here, but it didn’t, he sent an e-mail to five different news portals, but only received one response – the journalist of Délmagyarország, Tünde Dombai, invited the two boys for an interview. After that, they “exploded”, which is no wonder, because the title of the article read: Dávid didn’t have a schedule, he made one up. They were written about in 24.hu, HVG, appeared on M1 TV channel and many other platforms, it was an exciting time for both of them. “6 years have passed and a lot has changed. We finished high school, went to university, and started working. We set off on separate paths, and now it seems that we are both moving away from Szeged. For this reason, and also because the bot has not been working for months due to various technical difficulties, we have decided that it is time to end this era. Thank you for traveling with thousands of us in Szeged. Signature: Laci and Dávid”


Interview: András Kovács

Leave a Reply

Your email address will not be published. Required fields are marked *