Ten-Year-Old Hacker Reveals Mobile Gaming Exploit at Defcon

 Pages 1 2 3 NEXT
 

Ten-Year-Old Hacker Reveals Mobile Gaming Exploit at Defcon

image

A ten-year-old hacker who discovered an exploit that allows easy cheating in iOS and Android games has presented her findings to this year's Defcon hacking conference.

I don't really know what the average ten-year-old girl gets up to in her spare time these days but I'm pretty sure it's not figuring out how to exploit the latest generation of mobile videogames. Yet that's exactly what what the precocious little darling with the handle of "CyFi" did, and then she headed off to Defcon to tell everyone about it.

CyFi discovered that by fiddling with the clock on her mobile devices, she could speed up the action in certain games, allowing her to do things like "grow pumpkins instantly" in farming games. That in itself isn't a particularly novel idea; what makes CyFi's discovery interesting is that app makers apparently saw this coming and built in protections against it, which she was nonetheless able to circumvent by disconnecting the devices from the network and increasing the clock in small increments.

"It was hard to make progress in the game, because it took so long for things to grow," she told CNet. "So I thought, 'Why don't I just change the time?'"

She didn't reveal the specifics of her exploit or the names of the games involved in order to keep it from becoming too widespread but she did discuss the matter in a Defcon Kids presentation entitled "Apps - A Traveler of Both Time and Space [And What I Learned About Zero-Days and Responsible Disclosure]."

"The world of apps has obvious[ly] not thought about security, yet. Here is an import[ant] lesson they can learn from a Girl Scout. I'll show a new class of vulnerabilities I call TimeTraveler," she wrote. "By controlling time, you can do many things, such as grow pum[p]kins instantly. This technique enables endless possibilities. I'll show you how. Wanna play a game? Let's find some zero-days! (Cuz it's fun!)"

CyFi's mother said that following her daughter's presentation, identity protection company AllClear ID [the folks contracted by Sony to provide a year of free identity theft protection to PSN customers] would offer a $100 reward to the "young hacker" who discovered the most games vulnerable to the exploit in a 24-hour period. Isn't that just the sweetest thing ever?

via: Dvice

Permalink

That's an exploit...? I don't mean to rain on her parade or anything but... lots of games have that same kind of "exploit" in them. Any console OR computer game that bases itself off your set clock could easily be manipulated doing that. Sure I guess circumventing a minor security trick is nice and all... but still...

rembrandtqeinstein:

cursedseishi:
That's an exploit...? I don't mean to rain on her parade or anything but... lots of games have that same kind of "exploit" in them. Any console OR computer game that bases itself off your set clock could easily be manipulated doing that. Sure I guess circumventing a minor security trick is nice and all... but still...

Dude she is 10. And she gave a presentation at Defcon. What amazing thing did you do when you were 10 besides probably having to be warned multiple times to not stick utensils in electric sockets and repeatedly consoled with the statement "its ok, lots of kids still have accidents at this age".

I'm with your point, but your execution is extremely poor. There was no need for the personal attacks on the other guy.

OT: That's pretty cool. At 10, I was just kind of playing games. Not thinking about mechanics, or how to make things happen more efficiently.

Get them when they are young.. :D

Cool thing.

Awesome, the next generation of techies are starting young. :)

Sweet! We have our best candidate for the real world Lex Murphy now!

Frostbite3789:

rembrandtqeinstein:

cursedseishi:
That's an exploit...? I don't mean to rain on her parade or anything but... lots of games have that same kind of "exploit" in them. Any console OR computer game that bases itself off your set clock could easily be manipulated doing that. Sure I guess circumventing a minor security trick is nice and all... but still...

Dude she is 10. And she gave a presentation at Defcon. What amazing thing did you do when you were 10 besides probably having to be warned multiple times to not stick utensils in electric sockets and repeatedly consoled with the statement "its ok, lots of kids still have accidents at this age".

I'm with your point, but your execution is extremely poor. There was no need for the personal attacks on the other guy.

I dunno, I thought it was pretty funny. Besides, when you're the first person posting on an article and all you have to say is "pssh, that's all she did? I could have done that so easily" never mind the fact that the person in question is TEN, then you deserve to get knocked down a few pegs.

cursedseishi:
That's an exploit...? I don't mean to rain on her parade or anything but... lots of games have that same kind of "exploit" in them. Any console OR computer game that bases itself off your set clock could easily be manipulated doing that. Sure I guess circumventing a minor security trick is nice and all... but still...

Think outside the box. Sure changing the date and time to instantly grow pumpkins isn't that nefarious but what about other systems that rely on a digital scheduling system, automatic alarm systems for instance. The point isn't that she's now a master of mobile games but that she's exposed an exploitable flaw that could potentially be other areas as well. DEF CON is all about bringing these issues to light so that security as an industry can reflect on their practices and advance the field and this girl definitely held up this idea. Kudos to her!

God bless the child...sisters are hacking it for themselves!

Frostbite3789:

rembrandtqeinstein:

cursedseishi:
That's an exploit...? I don't mean to rain on her parade or anything but... lots of games have that same kind of "exploit" in them. Any console OR computer game that bases itself off your set clock could easily be manipulated doing that. Sure I guess circumventing a minor security trick is nice and all... but still...

Dude she is 10. And she gave a presentation at Defcon. What amazing thing did you do when you were 10 besides probably having to be warned multiple times to not stick utensils in electric sockets and repeatedly consoled with the statement "its ok, lots of kids still have accidents at this age".

I'm with your point, but your execution is extremely poor. There was no need for the personal attacks on the other guy.

OT: That's pretty cool. At 10, I was just kind of playing games. Not thinking about mechanics, or how to make things happen more efficiently.

No. No, no. If anything it's the opposite. If you go to all the trouble to post online to demean a pre-teenager you deserve to be hit with ad hominems until you bleed brain matter. Even, and this may be controversial, if you're a pre-teenager yourself.

For the record, the fact that she's 10 AND that she's a girl, AND that her train of thought is both scientific and hacker-like is remarkable, which of course means anybody being cynical about this deserves the full wrath of the Internet.

First off, kudos to the presenter. The world needs more white hats and geek girls need more role models.

Fawxy:
I dunno, I thought it was pretty funny. Besides, when you're the first person posting on an article and all you have to say is "pssh, that's all she did? I could have done that so easily" never mind the fact that the person in question is TEN, then you deserve to get knocked down a few pegs.

Heh. Particularly when grown-up Defcon has a presentation about how the world's first Homeland-Security-approved lock can be opened by giving it a quick whack with a mallet. (Or poking it with a wire. Or resetting it completely.) Anyone could've hit one of these with a mallet, but only one person DID.

I appreciate that she's a "child wonder" and all that jazz, but haven't people been doing this for years?

Well done for her finding out and all, wouldn't have been to do that when I was ten.

I think there's a difference between Hacking and changing the time setting...

Hmm, while at first I was unimpressed, it was cool to see how she dealt with anti-clockshifting measures.

She is very talented to able to hack like that in her age and to expose such an exploit. I hope that she used her talent to continue uses for "good" unlike the recent hackers these days.

This is indeed a hack, but not necessarily a complex one of the sort. It would not be that impressive if a experienced programmer did something similar, but at that age having that logic mindset is very impressive.

The fact that she is a 10-year old GIRL is well.. brilliant. She certainly has a future in software development if she continues with that mindset.

Disconnecting from the internet and moving the clock forward does not equal hacking. This exploit was in Fable 2, MGS3 and im sure many many games.

Awesome for the girl, great to some female presence in this scene, even if she's only 10.

I do find the $100 dollar reward a bit insulting, I mean let's be honest a company that likely got big amounts of money from Sony for that year of free identity theft protection views $100 dollar bills as relatively small change. $1000 wouldn't really have hurt them financially and would've shown much greater respect, this just sounds like a bid for cheap media attention.

D0WNT0WN:
Disconnecting from the internet and moving the clock forward does not equal hacking. This exploit was in Fable 2, MGS3 and im sure many many games.

And you were able to figure this out and then explain it at a major convention at which age?

I'm pretty sure I figured this out on emulators at 11. Where's my Goddamn medal?

good on her for having the time and patience to work it all out. however i must say one thing... she needs a snappier title for her talk. i don't even know what that talks about from the title. thats all

llafnwod:
I'm pretty sure I figured this out on emulators at 11. Where's my Goddamn medal?

This. Sure to a normal run of the mill child who normally dicks around on Facebook its amazing but to adult standards its not impressive. I don't scale standards to be honest nor does gender have any sway. Age and gender are meaningless, the only thing that matters is what you do.

Next thing you know, someone will mention that you could probably kill off an old guy in a game by going ahead a year and he will get tired of waiting for you and die..

Oh wait...This is...the end...

Cool, let's send her to fight Anonymous.

This is really awesome, considering that most ten year olds know nothing about technology. Sort of worrying that the security hole existed in the first place.

Fawxy:
I dunno, I thought it was pretty funny. Besides, when you're the first person posting on an article and all you have to say is "pssh, that's all she did? I could have done that so easily" never mind the fact that the person in question is TEN, then you deserve to get knocked down a few pegs.

Not really. When the headline claims "A ten-year-old hacker who discovered an exploit that allows easy cheating in iOS and Android games has presented her findings to this year's Defcon hacking conference." and you find out that the "hack" is just changing the system clock, something that has been possible in games for years before anyone even thought about smart phones and games on them, people are going to be unimpressed because it's not a hack at all. As for disconnecting the device from the internet, that's also something that's been done for a few years as well (Xbox 360 will try to auto-sync the date and time if you're connected to Xbox Live, so changing the system clock requires signing out of live and/or disconnecting your ethernet cable first), which is also not hacking.

The age of the person in question has nothing to do with it. 10 years old or 30 years old, changing a system clock is not hacking. The reason for people being unimpressed is the same reason people get upset when someone claims there is "hacking" going on Xbox Live, PSN, or anything else and then tells a story about how they got tricked by phishing.

Is it just me or is a big deal being made out of this? I mean, yeah, she is 10, but specific flaw had been common in time trial software etc for years. If your time trial on something was up you would just wind back the clock and voila, its working again.

My 12 year old brother got this working on his RTM version of Windows 7. He still uses it even though its years old and its fully functional. Why isnt he at defcon...?

I'm sorry but this has been used since 2000 to have infinite days of trial software by changing the date on your pc

Noelveiga:
For the record, the fact that she's 10 AND that she's a girl, AND that her train of thought is both scientific and hacker-like is remarkable, which of course means anybody being cynical about this deserves the full wrath of the Internet.

Her gender should have no bearing on this story at all.

Hacker like and scientific?? She changed a system clock, it's not exactly a new technique and you certainly don't need to be "hacker like" to think of it..

Matthew94:

Noelveiga:
For the record, the fact that she's 10 AND that she's a girl, AND that her train of thought is both scientific and hacker-like is remarkable, which of course means anybody being cynical about this deserves the full wrath of the Internet.

Her gender should have no bearing on this story at all.

Hacker like and scientific?? She changed a system clock, it's not exactly a new technique and you certainly don't need to be "hacker like" to think of it..

And yet it totally does. She now belongs to a whole bunch of male-dominated communities. I refuse to be labelled a sexist for pointing out how cool it is that she's a girl only for her to then be harassed by illiterate male teenagers every time she discloses her gender online while playing Call of Duty.

As for her train of thought, she had an in-game issue (crops are too slow to grow) and she looked outside of the software for a hack (change the system clock), for which she needed to circumvent security (from the article, keeping the phone offline so that it couldn't check with a server-side clock). Give or take some code writing, she went through all the motions.

It is also scientific. To come to her exploit she had to make a number of working hypothesis, test them out and change them as needed based on the results. It may not be unique behaviour at 10, but she's well on her way to being able to wipe your hard drive for belittling her achievements by the time she's your age, and most likely to be either in legal trouble or a millionaire by the time she reaches my age.

This girl clearly needs to watch more My Little Pony.

mjc0961:
Not really. When the headline claims "A ten-year-old hacker who discovered an exploit that allows easy cheating in iOS and Android games has presented her findings to this year's Defcon hacking conference."

Let me stop you right there.

The point of the headline is that she's 10, not that she developed an exploit to cheat in mobile games. Nobody *cares* about the exploit, we care about the girl.

It's like the difference between me not caring that you chose to have an opinion about a trivial matter, but caring that you chose to do so in the most obnoxious, douchy way possible. Nuance, but relevant nonetheless.

Noelveiga:

mjc0961:
Not really. When the headline claims "A ten-year-old hacker who discovered an exploit that allows easy cheating in iOS and Android games has presented her findings to this year's Defcon hacking conference."

Let me stop you right there.

The point of the headline is that she's 10, not that she developed an exploit to cheat in mobile games. Nobody *cares* about the exploit, we care about the girl.

It's like the difference between me not caring that you chose to have an opinion about a trivial matter, but caring that you chose to do so in the most obnoxious, douchy way possible. Nuance, but relevant nonetheless.

And how does age and gender come into it? Actions are more important than what's in your pants or how long you have been around. To say gender matters in achievements is sexist, and to say age matters only serves to work against us. The idea of Gender and age in terms of accomplishments are old and outdated only to bring about more harm not only to society but for the child as well.

Sure, changing the system cock to cheat at games is a really old trick.

But this 10-year old girl came up with the trick independently of anyone else. That's gotta be worth some kudos and shows she's a smart kid with some good potential.

 Pages 1 2 3 NEXT

Reply to Thread

Log in or Register to Comment
Have an account? Login below:
With Facebook:Login With Facebook
or
Username:  
Password:  
  
Not registered? To sign up for an account with The Escapist:
Register With Facebook
Register With Facebook
or
Register for a free account here