Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

Hacking: The New Child's Play?

Researchers worry as teens and pre-teens play an increasing role in illegal online exploits

In January, a hacker unleashed an exploit that completely freezes up Apple's iPhone. Once installed, the app says only the word "shoes." When uninstalled, it removes files from the device's directory, effectively disabling Sendfile and other utilities.

The exploit's creator is 11 years old. His dad has revoked his Internet privileges.

Less than a week later, a 14-year-old boy in Poland derailed four trains in the city of Lodz with a homemade device he crafted from a TV remote control. "He treated [the city's tram system] like any other schoolboy might a giant train set, but it was lucky nobody was killed," an official said. The boy faces charges in a special juvenile court.

AriX, a 13-year-old who created his first iPod hack at age nine, last month released the first "jailbreak" for the iPhone, manipulating the device's file system access to allow installation of unofficial third-party iPhone applications. He did the same to Apple's iPod Touch back in October.

And the list goes on. Just this week, the FBI nabbed a 17-year-old phone phreak who has cost cities some $250,000 in "swatting" scams. Last week, New Zealand authorities charged Owen Thor Walker, 18, with heading up an international cyber-crime network suspected of infiltrating 1.3 million computers and skimming millions of dollars from victims’ bank accounts.

So what gives here? Are these youth-perpetrated acts unrelated -- just a few child prodigies acting out -- or is there a broader culture that is increasingly encouraging teens and pre-teens to join the ranks of hackers and computer criminals?

One researcher is concerned that the latter scenario is the new rule. Chris Boyd, director of malware research at FaceTime Communications, has been studying what he calls "the Internet generation" for several years now, and he's seen a steady increase in pre-adolescent involvement in questionable -- sometimes criminal -- online activities.

"These are kids that are nine, ten, 12 years old," Boyd says. "They're part of a generation that doesn't remember when there wasn't an Internet, or easy access to it. They grow up with it. They start off playing games, and then they move on to [communities] where they're encouraged to take their hacking to a higher level."

Of course, there's nothing new about the concept of teen hackers, an image that dates back to the 1980s phone phreaks and Matthew Broderick's character in the movie "War Games." In fact, for many years, hackers were often depicted as young, pimple-faced boys, sitting alone in their parents' basements and looking for ways to impress their friends by hacking NASA or the Department of Defense.

In recent years, however, the world of hacking has taken a decided turn toward for-profit exploits, developing a criminal element that is now considered the industry's greatest threat. Hackers are no longer motivated by the desire to build their social status, experts now say, but are almost entirely driven by the desire for financial gain.

To Page 2

But Boyd says such conventional wisdom overlooks a burgeoning community of young teen and pre-teen hackers who still want notoriety among their peers, just like the hackers of old. "They want to be famous," he says. "Not just known among their peers for their technical knowledge, but 'American Idol' famous."

To prove his point, Boyd points to sites like MMOwned, where hackers and game enthusiasts can post ideas for cheating or scamming other users of popular online games such as World of Warcraft. The site allows users to build up their reputations by posting clever ideas and hacks for others' review, and receiving props in return.

"Good try, but try contributing your own stuff," says "Biospecies" in response to a proposed online game account hack. "Appreciate the effort, but no rep." Biospecies claims to have scammed more than 100 accounts.

In other cases, a user on such a site might propose a viable hack, and older kids might steal the idea and sell it on other sites, Boyd says. "Think about the way the bad teens in the neighborhood might use ten- or 11-year-olds to do some of their dirty work for them, like breaking windows or stealing," he says. "This is the way older kids might use younger ones who want to run in the same circles."

And in some cases, adult "scouts" may monitor the younger hackers' sites in order to identify talented hackers whom they will later recruit for their own criminal organizations, Boyd says.

"Some of these kids are really quite proficient. I know of one 13-year-old who has 35 phishing kits on his site. He uses professional tools and gets good results. It's really quite frightening, the skills they've got."

So how do children as young as nine or ten get involved in hacking? "It usually starts out with games or online communities, like Habbo Hotel," Boyd says. "They start by playing games, and then they get bored and start looking for ways to quickly gain an advantage, or extra money or weapons. They start stealing passwords or account information and dealing them, and then they start developing their own scams for getting more.

"In the beginning, a lot of them are just playacting. They make up hacks that don't work and they boast about hacks they haven't done. They see it as part of the game. But then it gets more serious as they learn more from others online."

And children may be enticed by the growing market for online gaming "cheats" and digital assets. Gary McGraw, CTO of Cigital and co-author of the book, Exploiting Online Games, says there's an increasing amount of interest in the buying and selling of online gaming intelligence. (See Online Gaming's Seamy Underside.)

Like the mainstream security research market, the gaming world has spawned a growing black market for cheats, hacks, and malicious exploits, McGraw says. "There is real money to be made by selling 'virtual assets' -- the stuff you need to play these games -- and hackers are learning that they can make money by getting those assets or helping others to get them."

Why don't the cyber cops step in and do something about these hacks and Websites, particularly those where children traffic their exploits?

"Most [law enforcement agencies] are already strained, trying to do something to stop the financially motivated attacks, which are seen as more dangerous," Boyd says. "They only have the resources to focus on the biggest stuff. And when you're dealing with kids, they're too young to be prosecuted anyway. Some of the forums [targeted toward child hackers] have been up for three, four, even five years, and no one has shut them down."

So how does Boyd know so much? Over the past several years, he's taken it upon himself to shut down as many of the kids' hacking sites as he can. "It's not really part of my job here at FaceTime, but I try to stop them wherever I can."

In some cases, Boyd infiltrates the sites by pretending to be a kid himself. Then, after he finds out the extent of the illegal activity, threatens to expose the players. "Sometimes they'll shut down the site and 'retire,' Other times, they'll shut down and you'll see them pop up again a week later on another site."

Without much help from law enforcement, Boyd also has recruited Internet service providers in his effort to curb underage hacking. "I've even approached some of the advertisers on the ISP's network and asked them to help me convince the ISP to do something about it."

But Boyd also recognizes that one man's efforts aren't enough to stem the growing tide of kids getting into hacking. "A lot of it is cultural," he says. "These kids want to be seen as cool on the social networking sites. They don't have the same concept of anonymity as [today's adults] do. If we're going to do something about it, we have to look at it more from their perspective."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Cigital Inc.
  • FaceTime Communications Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-16772
    PUBLISHED: 2019-12-07
    The serialize-to-js NPM package before version 3.0.1 is vulnerable to Cross-site Scripting (XSS). It does not properly mitigate against unsafe characters in serialized regular expressions. This vulnerability is not affected on Node.js environment since Node.js's implementation of RegExp.prototype.to...
    CVE-2019-9464
    PUBLISHED: 2019-12-06
    In various functions of RecentLocationApps.java, DevicePolicyManagerService.java, and RecognitionService.java, there is an incorrect warning indicating an app accessed the user's location. This could dissolve the trust in the platform's permission system, with no additional execution privileges need...
    CVE-2019-2220
    PUBLISHED: 2019-12-06
    In checkOperation of AppOpsService.java, there is a possible bypass of user interaction requirements due to mishandling application suspend. This could lead to local information disclosure no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVers...
    CVE-2019-2221
    PUBLISHED: 2019-12-06
    In hasActivityInVisibleTask of WindowProcessController.java there�s a possible bypass of user interaction requirements due to incorrect handling of top activities in INITIALIZING state. This could lead to local escalation of privilege with no additional execution privileges need...
    CVE-2019-2222
    PUBLISHED: 2019-12-06
    n ihevcd_parse_slice_data of ihevcd_parse_slice.c, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-8.0 Android...