Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

8/10/2011
01:23 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Tween Hacker's Time-Travel Trick

DefCon Kid discovers new class of vulns

She's one of the top downhill ski racers in California, an accomplished artist, a seasoned public speaker, and she recently discovered a whole new class of zero-day vulnerabilities.

Oh -- and she's 10 years old.

I got to interview tween hacker sensation "CyFi" at the DefCon 19 hacker convention last week in Las Vegas. CyFi was there as part of the first-ever DefCon Kids conference that was held in closely guarded and cloistered rooms in the same area as DefCon.

I admit I was a little intimidated, as well as excited, about meeting a 10-year-old hacking prodigy. Would she be like Doogie Howser, or a mini super-nerd? So I had to smile when I spotted this ponytailed little girl outside the DefCon Kids room, playing keep-away with her smartphone from a fellow mini-hacker. Amen -- she was a typical little kid.

The interview lasted no more than 10 minutes -- CyFi got distracted by a massive tray of brownies that was wheeled into the room (as did I after spending 45 minutes hiking around the Rio in search of a lunch line that didn't wrap around the poker tables -- I came back empty-handed, stomach growling). This obviously very happy, bright, intelligent, and creative kid was comfortable sitting down with a reporter for an interview, and she was careful not to disclose anything she wasn't allowed to.

CyFi told me she found a bug in her favorite mobile gaming app back in January after getting bored with it. "At first it was so much fun ... but I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said.

So during the next few months, she shared her trick with her friends until her mom caught wind of it, in May. "My mom saw me showing all my friends," CyFi said. And like any typical kid, her first instinct was that she might be in trouble with her mom: "I told her, 'I wasn't keeping it from you,'" she recalled.

CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom explained.

But CyFi's mom, who is no stranger to DefCon, as was the case with most of the DefCon Kids parents -- many are members of the security industry or hackers themselves -- wasn't mad at her daughter. She did what any responsible hacker would do and checked in with the EFF on the responsible disclosure question. It turned out CyFi had found the same bug on multiple games, not just the one app, so the plot thickened.

CyFi and her mom then consulted with a seasoned hacker friend, who checked out the bug and found it in yet another OS. Other professional hacker friends verified it: Turns out CyFi had discovered an entirely new class of zero-day bugs across multiple tablet and smartphone operating systems. CyFi and her mom are now working on the disclosure process with the vendors.

"The mobile app world is different -- you have all these different, tiny companies making games. You don't just have Oracle and Microsoft, so that's why there were so many zero-days," CyFi's mom told me.

"This is the future. If kids can do this -- CyFi will say she's not a genius to do have done this" -- then it's a significant security issue, she said.

CyFi and her mom are way too modest. Just ask the grown-up hackers from DefCon. Now, CyFi may or may not yet fully appreciate this, but she was the recipient of some serious kudos from famed security researcher Dan Kaminsky.

"It's a cool trick, the sort of thing you'd do if you didn't know it shouldn't work. If that's not hacking, I don't know what is," Kaminsky told me. "It's legitimately cool work. We've known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence. Attacks against system clocks are also occasionally effective, though usually by slowing the clock down to keep a cryptographic token alive, or resetting time entirely to allow a token to be revived.

"Time acceleration is extremely rare -- I know of only one other use, and that's to locate 'phone homes' where an application or operating system sends traffic to a manufacturer, months, or years after installation.

"Seeing the 'phone home' trick used successfully against mobile games -- en masse -- is impressive, particularly since it apparently works against some online games. That's amazing: CyFi is basically then exploiting server trust of a client variable, which has a full user experience for alteration," Kaminsky said.

CyFi isn't old enough to be on LinkedIn yet, but man, would that be a great endorsement.

Still, I have to admit I was at first a bit uneasy when I heard about DefCon Kids. Bringing kids to Vegas just doesn't seem right (I did it once en route to the Grand Canyon -- don't ask), even though you see families everywhere, schlepping their kids as far around the perimeter of the casino floor as they can, or playing in the pool at Caesars alongside the Margarita-slurping bathers. You really don't want to explain those "business" cards getting shoved in your face on the Strip. Nor do you want them completely exposed to the hard-core side of the DefCon culture. One session I attended must have used the "F" word about 40 times, for example, and beer-cooling contests and smoking areas just aren't kid-friendly, even if they are mostly on the patio of the convention center.

Even so, DefCon Kids won me over: It was all about teaching kids to protect themselves and perform critical thinking and decoding. Parents were required to stay with their kids, and there were cool classroom events, workshops, and even a pint-sized Social Engineering Capture the Flag (CTF) contest that was basically a scavenger hunt. Here's to hoping teaching good hacking and how to protect yourself online to kids will develop more CyFis out there rather than teenage trolls.

CyFi's hack even made longtime hackers nostalgic.

"It reminds us old, jaded people why we got into this from the start," Dan Holden, director of HP DVLabs, said. "Some of us have been doing this since we were teenagers, and we kind of forget why we got into it."

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) here on Twitter.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15488
PUBLISHED: 2020-09-30
Re:Desk 2.3 allows insecure file upload.
CVE-2020-15849
PUBLISHED: 2020-09-30
Re:Desk 2.3 has a blind authenticated SQL injection vulnerability in the SettingsController class, in the actionEmailTemplates() method. A malicious actor with access to an administrative account could abuse this vulnerability to recover sensitive data from the application's database, allowing for a...
CVE-2020-14375
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. Virtio ring descriptors, and the data they describe are in a region of memory accessible by from both the virtual machine and the host. An attacker in a VM can change the contents of the memory after vhost_crypto has validated ...
CVE-2020-14376
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A lack of bounds checking when copying iv_data from the VM guest memory into host memory can lead to a large buffer overflow. The highest threat from this vulnerability is to data confidentiality and integrity as well as system...
CVE-2020-14377
PUBLISHED: 2020-09-30
A flaw was found in dpdk in versions before 18.11.10 and before 19.11.5. A complete lack of validation of attacker-controlled parameters can lead to a buffer over read. The results of the over read are then written back to the guest virtual machine memory. This vulnerability can be used by an attack...