Ten-Year-Old Hacker Reveals Mobile Gaming Exploit at Defcon

Andy Chalk

One Flag, One Fleet, One Cat
Nov 12, 2002
45,698
1
0
Ten-Year-Old Hacker Reveals Mobile Gaming Exploit at Defcon


A ten-year-old hacker who discovered an exploit that allows easy cheating in iOS and Android games has presented her findings to this year's Defcon [https://www.defcon.org/] hacking conference.

I don't really know what the average ten-year-old girl gets up to in her spare time these days but I'm pretty sure it's not figuring out how to exploit the latest generation of mobile videogames. Yet that's exactly what what the precocious little darling with the handle of "CyFi" did, and then she headed off to Defcon to tell everyone about it.

CyFi discovered that by fiddling with the clock on her mobile devices, she could speed up the action in certain games, allowing her to do things like "grow pumpkins instantly" in farming games. That in itself isn't a particularly novel idea; what makes CyFi's discovery interesting is that app makers apparently saw this coming and built in protections against it, which she was nonetheless able to circumvent by disconnecting the devices from the network and increasing the clock in small increments.

"It was hard to make progress in the game, because it took so long for things to grow," she told CNet [http://download.cnet.com/8301-2007_4-20089152-12/10-year-old-hacker-finds-zero-day-flaw-in-games/]. "So I thought, 'Why don't I just change the time?'"

She didn't reveal the specifics of her exploit or the names of the games involved in order to keep it from becoming too widespread but she did discuss the matter in a Defcon Kids [http://www.defconkids.org/] presentation entitled "Apps - A Traveler of Both Time and Space [And What I Learned About Zero-Days and Responsible Disclosure]."

"The world of apps has obvious[ly] not thought about security, yet. Here is an import[ant] lesson they can learn from a Girl Scout. I'll show a new class of vulnerabilities I call TimeTraveler," she wrote. "By controlling time, you can do many things, such as grow pum[p]kins instantly. This technique enables endless possibilities. I'll show you how. Wanna play a game? Let's find some zero-days! (Cuz it's fun!)"

CyFi's mother said that following her daughter's presentation, identity protection company AllClear ID [the folks contracted by Sony to provide a year of free identity theft protection [http://www.escapistmagazine.com/news/view/110453-Sony-Offers-PSN-Customers-a-Year-of-Identity-Protection] to PSN customers] would offer a $100 reward to the "young hacker" who discovered the most games vulnerable to the exploit in a 24-hour period. Isn't that just the sweetest thing ever?

via: Dvice [http://dvice.com/archives/2011/08/10-year-old-gir.php]


Permalink
 

Frostbite3789

New member
Jul 12, 2010
1,778
0
0
rembrandtqeinstein said:
cursedseishi said:
That's an exploit...? I don't mean to rain on her parade or anything but... lots of games have that same kind of "exploit" in them. Any console OR computer game that bases itself off your set clock could easily be manipulated doing that. Sure I guess circumventing a minor security trick is nice and all... but still...
Dude she is 10. And she gave a presentation at Defcon. What amazing thing did you do when you were 10 besides probably having to be warned multiple times to not stick utensils in electric sockets and repeatedly consoled with the statement "its ok, lots of kids still have accidents at this age".
I'm with your point, but your execution is extremely poor. There was no need for the personal attacks on the other guy.

OT: That's pretty cool. At 10, I was just kind of playing games. Not thinking about mechanics, or how to make things happen more efficiently.
 

Kodachi

New member
Jun 6, 2011
103
0
0
cursedseishi said:
That's an exploit...? I don't mean to rain on her parade or anything but... lots of games have that same kind of "exploit" in them. Any console OR computer game that bases itself off your set clock could easily be manipulated doing that. Sure I guess circumventing a minor security trick is nice and all... but still...
Think outside the box. Sure changing the date and time to instantly grow pumpkins isn't that nefarious but what about other systems that rely on a digital scheduling system, automatic alarm systems for instance. The point isn't that she's now a master of mobile games but that she's exposed an exploitable flaw that could potentially be other areas as well. DEF CON is all about bringing these issues to light so that security as an industry can reflect on their practices and advance the field and this girl definitely held up this idea. Kudos to her!
 

Formica Archonis

Anonymous Source
Nov 13, 2009
2,312
0
0
First off, kudos to the presenter. The world needs more white hats and geek girls need more role models.

Fawxy said:
I dunno, I thought it was pretty funny. Besides, when you're the first person posting on an article and all you have to say is "pssh, that's all she did? I could have done that so easily" never mind the fact that the person in question is TEN, then you deserve to get knocked down a few pegs.
Heh. Particularly when grown-up Defcon has a presentation about how the world's first Homeland-Security-approved lock can be opened by giving it a quick whack with a mallet [http://blogs.forbes.com/andygreenberg/2011/08/05/defcon-lockpickers-open-card-and-code-government-locks-in-seconds/]. (Or poking it with a wire. Or resetting it completely.) Anyone could've hit one of these with a mallet, but only one person DID.
 

SextusMaximus

Nightingale Assassin
May 20, 2009
3,508
0
0
I appreciate that she's a "child wonder" and all that jazz, but haven't people been doing this for years?

Well done for her finding out and all, wouldn't have been to do that when I was ten.
 

laggyteabag

Scrolling through forums, instead of playing games
Legacy
Oct 25, 2009
3,355
1,042
118
UK
Gender
He/Him
I think there's a difference between Hacking and changing the time setting...
 

Scarim Coral

Jumped the ship
Legacy
Oct 29, 2010
18,157
2
3
Country
UK
She is very talented to able to hack like that in her age and to expose such an exploit. I hope that she used her talent to continue uses for "good" unlike the recent hackers these days.
 

ripdajacker

Code Monkey
Oct 25, 2009
134
0
0
This is indeed a hack, but not necessarily a complex one of the sort. It would not be that impressive if a experienced programmer did something similar, but at that age having that logic mindset is very impressive.

The fact that she is a 10-year old GIRL is well.. brilliant. She certainly has a future in software development if she continues with that mindset.
 

D0WNT0WN

New member
Sep 28, 2008
808
0
0
Disconnecting from the internet and moving the clock forward does not equal hacking. This exploit was in Fable 2, MGS3 and im sure many many games.
 

Hagi

New member
Apr 10, 2011
2,741
0
0
Awesome for the girl, great to some female presence in this scene, even if she's only 10.

I do find the $100 dollar reward a bit insulting, I mean let's be honest a company that likely got big amounts of money from Sony for that year of free identity theft protection views $100 dollar bills as relatively small change. $1000 wouldn't really have hurt them financially and would've shown much greater respect, this just sounds like a bid for cheap media attention.
 

Hagi

New member
Apr 10, 2011
2,741
0
0
D0WNT0WN said:
Disconnecting from the internet and moving the clock forward does not equal hacking. This exploit was in Fable 2, MGS3 and im sure many many games.
And you were able to figure this out and then explain it at a major convention at which age?
 

llafnwod

New member
Nov 9, 2007
426
0
0
I'm pretty sure I figured this out on emulators at 11. Where's my Goddamn medal?