Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:23 PM
Connect Directly

Tween Hacker's Time-Travel Trick

DefCon Kid discovers new class of vulns

She's one of the top downhill ski racers in California, an accomplished artist, a seasoned public speaker, and she recently discovered a whole new class of zero-day vulnerabilities.

Oh -- and she's 10 years old.

I got to interview tween hacker sensation "CyFi" at the DefCon 19 hacker convention last week in Las Vegas. CyFi was there as part of the first-ever DefCon Kids conference that was held in closely guarded and cloistered rooms in the same area as DefCon.

I admit I was a little intimidated, as well as excited, about meeting a 10-year-old hacking prodigy. Would she be like Doogie Howser, or a mini super-nerd? So I had to smile when I spotted this ponytailed little girl outside the DefCon Kids room, playing keep-away with her smartphone from a fellow mini-hacker. Amen -- she was a typical little kid.

The interview lasted no more than 10 minutes -- CyFi got distracted by a massive tray of brownies that was wheeled into the room (as did I after spending 45 minutes hiking around the Rio in search of a lunch line that didn't wrap around the poker tables -- I came back empty-handed, stomach growling). This obviously very happy, bright, intelligent, and creative kid was comfortable sitting down with a reporter for an interview, and she was careful not to disclose anything she wasn't allowed to.

CyFi told me she found a bug in her favorite mobile gaming app back in January after getting bored with it. "At first it was so much fun ... but I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said.

So during the next few months, she shared her trick with her friends until her mom caught wind of it, in May. "My mom saw me showing all my friends," CyFi said. And like any typical kid, her first instinct was that she might be in trouble with her mom: "I told her, 'I wasn't keeping it from you,'" she recalled.

CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom explained.

But CyFi's mom, who is no stranger to DefCon, as was the case with most of the DefCon Kids parents -- many are members of the security industry or hackers themselves -- wasn't mad at her daughter. She did what any responsible hacker would do and checked in with the EFF on the responsible disclosure question. It turned out CyFi had found the same bug on multiple games, not just the one app, so the plot thickened.

CyFi and her mom then consulted with a seasoned hacker friend, who checked out the bug and found it in yet another OS. Other professional hacker friends verified it: Turns out CyFi had discovered an entirely new class of zero-day bugs across multiple tablet and smartphone operating systems. CyFi and her mom are now working on the disclosure process with the vendors.

"The mobile app world is different -- you have all these different, tiny companies making games. You don't just have Oracle and Microsoft, so that's why there were so many zero-days," CyFi's mom told me.

"This is the future. If kids can do this -- CyFi will say she's not a genius to do have done this" -- then it's a significant security issue, she said.

CyFi and her mom are way too modest. Just ask the grown-up hackers from DefCon. Now, CyFi may or may not yet fully appreciate this, but she was the recipient of some serious kudos from famed security researcher Dan Kaminsky.

"It's a cool trick, the sort of thing you'd do if you didn't know it shouldn't work. If that's not hacking, I don't know what is," Kaminsky told me. "It's legitimately cool work. We've known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence. Attacks against system clocks are also occasionally effective, though usually by slowing the clock down to keep a cryptographic token alive, or resetting time entirely to allow a token to be revived.

"Time acceleration is extremely rare -- I know of only one other use, and that's to locate 'phone homes' where an application or operating system sends traffic to a manufacturer, months, or years after installation.

"Seeing the 'phone home' trick used successfully against mobile games -- en masse -- is impressive, particularly since it apparently works against some online games. That's amazing: CyFi is basically then exploiting server trust of a client variable, which has a full user experience for alteration," Kaminsky said.

CyFi isn't old enough to be on LinkedIn yet, but man, would that be a great endorsement.

Still, I have to admit I was at first a bit uneasy when I heard about DefCon Kids. Bringing kids to Vegas just doesn't seem right (I did it once en route to the Grand Canyon -- don't ask), even though you see families everywhere, schlepping their kids as far around the perimeter of the casino floor as they can, or playing in the pool at Caesars alongside the Margarita-slurping bathers. You really don't want to explain those "business" cards getting shoved in your face on the Strip. Nor do you want them completely exposed to the hard-core side of the DefCon culture. One session I attended must have used the "F" word about 40 times, for example, and beer-cooling contests and smoking areas just aren't kid-friendly, even if they are mostly on the patio of the convention center.

Even so, DefCon Kids won me over: It was all about teaching kids to protect themselves and perform critical thinking and decoding. Parents were required to stay with their kids, and there were cool classroom events, workshops, and even a pint-sized Social Engineering Capture the Flag (CTF) contest that was basically a scavenger hunt. Here's to hoping teaching good hacking and how to protect yourself online to kids will develop more CyFis out there rather than teenage trolls.

CyFi's hack even made longtime hackers nostalgic.

"It reminds us old, jaded people why we got into this from the start," Dan Holden, director of HP DVLabs, said. "Some of us have been doing this since we were teenagers, and we kind of forget why we got into it."

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) here on Twitter.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.
PUBLISHED: 2020-01-18
An issue was discovered in Amcrest Web Server 2.520.AC00.18.R 2017-06-29 WEB The login page responds with JavaScript when one tries to authenticate. An attacker who changes the result parameter (to true) in this JavaScript code can bypass authentication and achieve limited privileges (...