Perimeter
8/10/2011
01:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tween Hacker's Time-Travel Trick

DefCon Kid discovers new class of vulns

She's one of the top downhill ski racers in California, an accomplished artist, a seasoned public speaker, and she recently discovered a whole new class of zero-day vulnerabilities.

Oh -- and she's 10 years old.

I got to interview tween hacker sensation "CyFi" at the DefCon 19 hacker convention last week in Las Vegas. CyFi was there as part of the first-ever DefCon Kids conference that was held in closely guarded and cloistered rooms in the same area as DefCon.

I admit I was a little intimidated, as well as excited, about meeting a 10-year-old hacking prodigy. Would she be like Doogie Howser, or a mini super-nerd? So I had to smile when I spotted this ponytailed little girl outside the DefCon Kids room, playing keep-away with her smartphone from a fellow mini-hacker. Amen -- she was a typical little kid.

The interview lasted no more than 10 minutes -- CyFi got distracted by a massive tray of brownies that was wheeled into the room (as did I after spending 45 minutes hiking around the Rio in search of a lunch line that didn't wrap around the poker tables -- I came back empty-handed, stomach growling). This obviously very happy, bright, intelligent, and creative kid was comfortable sitting down with a reporter for an interview, and she was careful not to disclose anything she wasn't allowed to.

CyFi told me she found a bug in her favorite mobile gaming app back in January after getting bored with it. "At first it was so much fun ... but I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said.

So during the next few months, she shared her trick with her friends until her mom caught wind of it, in May. "My mom saw me showing all my friends," CyFi said. And like any typical kid, her first instinct was that she might be in trouble with her mom: "I told her, 'I wasn't keeping it from you,'" she recalled.

CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom explained.

But CyFi's mom, who is no stranger to DefCon, as was the case with most of the DefCon Kids parents -- many are members of the security industry or hackers themselves -- wasn't mad at her daughter. She did what any responsible hacker would do and checked in with the EFF on the responsible disclosure question. It turned out CyFi had found the same bug on multiple games, not just the one app, so the plot thickened.

CyFi and her mom then consulted with a seasoned hacker friend, who checked out the bug and found it in yet another OS. Other professional hacker friends verified it: Turns out CyFi had discovered an entirely new class of zero-day bugs across multiple tablet and smartphone operating systems. CyFi and her mom are now working on the disclosure process with the vendors.

"The mobile app world is different -- you have all these different, tiny companies making games. You don't just have Oracle and Microsoft, so that's why there were so many zero-days," CyFi's mom told me.

"This is the future. If kids can do this -- CyFi will say she's not a genius to do have done this" -- then it's a significant security issue, she said.

CyFi and her mom are way too modest. Just ask the grown-up hackers from DefCon. Now, CyFi may or may not yet fully appreciate this, but she was the recipient of some serious kudos from famed security researcher Dan Kaminsky.

"It's a cool trick, the sort of thing you'd do if you didn't know it shouldn't work. If that's not hacking, I don't know what is," Kaminsky told me. "It's legitimately cool work. We've known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence. Attacks against system clocks are also occasionally effective, though usually by slowing the clock down to keep a cryptographic token alive, or resetting time entirely to allow a token to be revived.

"Time acceleration is extremely rare -- I know of only one other use, and that's to locate 'phone homes' where an application or operating system sends traffic to a manufacturer, months, or years after installation.

"Seeing the 'phone home' trick used successfully against mobile games -- en masse -- is impressive, particularly since it apparently works against some online games. That's amazing: CyFi is basically then exploiting server trust of a client variable, which has a full user experience for alteration," Kaminsky said.

CyFi isn't old enough to be on LinkedIn yet, but man, would that be a great endorsement.

Still, I have to admit I was at first a bit uneasy when I heard about DefCon Kids. Bringing kids to Vegas just doesn't seem right (I did it once en route to the Grand Canyon -- don't ask), even though you see families everywhere, schlepping their kids as far around the perimeter of the casino floor as they can, or playing in the pool at Caesars alongside the Margarita-slurping bathers. You really don't want to explain those "business" cards getting shoved in your face on the Strip. Nor do you want them completely exposed to the hard-core side of the DefCon culture. One session I attended must have used the "F" word about 40 times, for example, and beer-cooling contests and smoking areas just aren't kid-friendly, even if they are mostly on the patio of the convention center.

Even so, DefCon Kids won me over: It was all about teaching kids to protect themselves and perform critical thinking and decoding. Parents were required to stay with their kids, and there were cool classroom events, workshops, and even a pint-sized Social Engineering Capture the Flag (CTF) contest that was basically a scavenger hunt. Here's to hoping teaching good hacking and how to protect yourself online to kids will develop more CyFis out there rather than teenage trolls.

CyFi's hack even made longtime hackers nostalgic.

"It reminds us old, jaded people why we got into this from the start," Dan Holden, director of HP DVLabs, said. "Some of us have been doing this since we were teenagers, and we kind of forget why we got into it."

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) here on Twitter.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.