A ten-year-old hacker who discovered an exploit that allows easy cheating in iOS and Android games has presented her findings to this year's Defcon hacking conference.
I don't really know what the average ten-year-old girl gets up to in her spare time these days but I'm pretty sure it's not figuring out how to exploit the latest generation of mobile videogames. Yet that's exactly what what the precocious little darling with the handle of "CyFi" did, and then she headed off to Defcon to tell everyone about it.
CyFi discovered that by fiddling with the clock on her mobile devices, she could speed up the action in certain games, allowing her to do things like "grow pumpkins instantly" in farming games. That in itself isn't a particularly novel idea; what makes CyFi's discovery interesting is that app makers apparently saw this coming and built in protections against it, which she was nonetheless able to circumvent by disconnecting the devices from the network and increasing the clock in small increments.
"It was hard to make progress in the game, because it took so long for things to grow," she told CNet. "So I thought, 'Why don't I just change the time?'"
She didn't reveal the specifics of her exploit or the names of the games involved in order to keep it from becoming too widespread but she did discuss the matter in a Defcon Kids presentation entitled "Apps - A Traveler of Both Time and Space [And What I Learned About Zero-Days and Responsible Disclosure]."
"The world of apps has obvious[ly] not thought about security, yet. Here is an import[ant] lesson they can learn from a Girl Scout. I'll show a new class of vulnerabilities I call TimeTraveler," she wrote. "By controlling time, you can do many things, such as grow pum[p]kins instantly. This technique enables endless possibilities. I'll show you how. Wanna play a game? Let's find some zero-days! (Cuz it's fun!)"
CyFi's mother said that following her daughter's presentation, identity protection company AllClear ID [the folks contracted by Sony to provide a year of free identity theft protection to PSN customers] would offer a $100 reward to the "young hacker" who discovered the most games vulnerable to the exploit in a 24-hour period. Isn't that just the sweetest thing ever?