Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


Hacking: The New Child's Play?

Researchers worry as teens and pre-teens play an increasing role in illegal online exploits

In January, a hacker unleashed an exploit that completely freezes up Apple's iPhone. Once installed, the app says only the word "shoes." When uninstalled, it removes files from the device's directory, effectively disabling Sendfile and other utilities.

The exploit's creator is 11 years old. His dad has revoked his Internet privileges.

Less than a week later, a 14-year-old boy in Poland derailed four trains in the city of Lodz with a homemade device he crafted from a TV remote control. "He treated [the city's tram system] like any other schoolboy might a giant train set, but it was lucky nobody was killed," an official said. The boy faces charges in a special juvenile court.

AriX, a 13-year-old who created his first iPod hack at age nine, last month released the first "jailbreak" for the iPhone, manipulating the device's file system access to allow installation of unofficial third-party iPhone applications. He did the same to Apple's iPod Touch back in October.

And the list goes on. Just this week, the FBI nabbed a 17-year-old phone phreak who has cost cities some $250,000 in "swatting" scams. Last week, New Zealand authorities charged Owen Thor Walker, 18, with heading up an international cyber-crime network suspected of infiltrating 1.3 million computers and skimming millions of dollars from victims’ bank accounts.

So what gives here? Are these youth-perpetrated acts unrelated -- just a few child prodigies acting out -- or is there a broader culture that is increasingly encouraging teens and pre-teens to join the ranks of hackers and computer criminals?

One researcher is concerned that the latter scenario is the new rule. Chris Boyd, director of malware research at FaceTime Communications, has been studying what he calls "the Internet generation" for several years now, and he's seen a steady increase in pre-adolescent involvement in questionable -- sometimes criminal -- online activities.

"These are kids that are nine, ten, 12 years old," Boyd says. "They're part of a generation that doesn't remember when there wasn't an Internet, or easy access to it. They grow up with it. They start off playing games, and then they move on to [communities] where they're encouraged to take their hacking to a higher level."

Of course, there's nothing new about the concept of teen hackers, an image that dates back to the 1980s phone phreaks and Matthew Broderick's character in the movie "War Games." In fact, for many years, hackers were often depicted as young, pimple-faced boys, sitting alone in their parents' basements and looking for ways to impress their friends by hacking NASA or the Department of Defense.

In recent years, however, the world of hacking has taken a decided turn toward for-profit exploits, developing a criminal element that is now considered the industry's greatest threat. Hackers are no longer motivated by the desire to build their social status, experts now say, but are almost entirely driven by the desire for financial gain.

To Page 2

But Boyd says such conventional wisdom overlooks a burgeoning community of young teen and pre-teen hackers who still want notoriety among their peers, just like the hackers of old. "They want to be famous," he says. "Not just known among their peers for their technical knowledge, but 'American Idol' famous."

To prove his point, Boyd points to sites like MMOwned, where hackers and game enthusiasts can post ideas for cheating or scamming other users of popular online games such as World of Warcraft. The site allows users to build up their reputations by posting clever ideas and hacks for others' review, and receiving props in return.

"Good try, but try contributing your own stuff," says "Biospecies" in response to a proposed online game account hack. "Appreciate the effort, but no rep." Biospecies claims to have scammed more than 100 accounts.

In other cases, a user on such a site might propose a viable hack, and older kids might steal the idea and sell it on other sites, Boyd says. "Think about the way the bad teens in the neighborhood might use ten- or 11-year-olds to do some of their dirty work for them, like breaking windows or stealing," he says. "This is the way older kids might use younger ones who want to run in the same circles."

And in some cases, adult "scouts" may monitor the younger hackers' sites in order to identify talented hackers whom they will later recruit for their own criminal organizations, Boyd says.

"Some of these kids are really quite proficient. I know of one 13-year-old who has 35 phishing kits on his site. He uses professional tools and gets good results. It's really quite frightening, the skills they've got."

So how do children as young as nine or ten get involved in hacking? "It usually starts out with games or online communities, like Habbo Hotel," Boyd says. "They start by playing games, and then they get bored and start looking for ways to quickly gain an advantage, or extra money or weapons. They start stealing passwords or account information and dealing them, and then they start developing their own scams for getting more.

"In the beginning, a lot of them are just playacting. They make up hacks that don't work and they boast about hacks they haven't done. They see it as part of the game. But then it gets more serious as they learn more from others online."

And children may be enticed by the growing market for online gaming "cheats" and digital assets. Gary McGraw, CTO of Cigital and co-author of the book, Exploiting Online Games, says there's an increasing amount of interest in the buying and selling of online gaming intelligence. (See Online Gaming's Seamy Underside.)

Like the mainstream security research market, the gaming world has spawned a growing black market for cheats, hacks, and malicious exploits, McGraw says. "There is real money to be made by selling 'virtual assets' -- the stuff you need to play these games -- and hackers are learning that they can make money by getting those assets or helping others to get them."

Why don't the cyber cops step in and do something about these hacks and Websites, particularly those where children traffic their exploits?

"Most [law enforcement agencies] are already strained, trying to do something to stop the financially motivated attacks, which are seen as more dangerous," Boyd says. "They only have the resources to focus on the biggest stuff. And when you're dealing with kids, they're too young to be prosecuted anyway. Some of the forums [targeted toward child hackers] have been up for three, four, even five years, and no one has shut them down."

So how does Boyd know so much? Over the past several years, he's taken it upon himself to shut down as many of the kids' hacking sites as he can. "It's not really part of my job here at FaceTime, but I try to stop them wherever I can."

In some cases, Boyd infiltrates the sites by pretending to be a kid himself. Then, after he finds out the extent of the illegal activity, threatens to expose the players. "Sometimes they'll shut down the site and 'retire,' Other times, they'll shut down and you'll see them pop up again a week later on another site."

Without much help from law enforcement, Boyd also has recruited Internet service providers in his effort to curb underage hacking. "I've even approached some of the advertisers on the ISP's network and asked them to help me convince the ISP to do something about it."

But Boyd also recognizes that one man's efforts aren't enough to stem the growing tide of kids getting into hacking. "A lot of it is cultural," he says. "These kids want to be seen as cool on the social networking sites. They don't have the same concept of anonymity as [today's adults] do. If we're going to do something about it, we have to look at it more from their perspective."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Cigital Inc.
  • FaceTime Communications Inc.

    Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Threaded  |  Newest First  |  Oldest First
    Ransomware Is Not the Problem
    Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
    How Can I Test the Security of My Home-Office Employees' Routers?
    John Bock, Senior Research Scientist,  6/7/2021
    New Ransomware Group Claiming Connection to REvil Gang Surfaces
    Jai Vijayan, Contributing Writer,  6/10/2021
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: Google's new See No Evil policy......
    Current Issue
    The State of Cybersecurity Incident Response
    In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-06-18
    RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
    PUBLISHED: 2021-06-18
    SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
    PUBLISHED: 2021-06-18
    SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
    PUBLISHED: 2021-06-18
    SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.
    PUBLISHED: 2021-06-18
    RIOT-OS 2021.01 before commit 85da504d2dc30188b89f44c3276fc5a25b31251f contains a buffer overflow which could allow attackers to obtain sensitive information.