DefCon Kid discovers new class of vulns

She's one of the top downhill ski racers in California, an accomplished artist, a seasoned public speaker, and she recently discovered a whole new class of zero-day vulnerabilities.

Oh -- and she's 10 years old.

I got to interview tween hacker sensation "CyFi" at the DefCon 19 hacker convention last week in Las Vegas. CyFi was there as part of the first-ever DefCon Kids conference that was held in closely guarded and cloistered rooms in the same area as DefCon.

I admit I was a little intimidated, as well as excited, about meeting a 10-year-old hacking prodigy. Would she be like Doogie Howser, or a mini super-nerd? So I had to smile when I spotted this ponytailed little girl outside the DefCon Kids room, playing keep-away with her smartphone from a fellow mini-hacker. Amen -- she was a typical little kid.

The interview lasted no more than 10 minutes -- CyFi got distracted by a massive tray of brownies that was wheeled into the room (as did I after spending 45 minutes hiking around the Rio in search of a lunch line that didn't wrap around the poker tables -- I came back empty-handed, stomach growling). This obviously very happy, bright, intelligent, and creative kid was comfortable sitting down with a reporter for an interview, and she was careful not to disclose anything she wasn't allowed to.

CyFi told me she found a bug in her favorite mobile gaming app back in January after getting bored with it. "At first it was so much fun ... but I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said.

So during the next few months, she shared her trick with her friends until her mom caught wind of it, in May. "My mom saw me showing all my friends," CyFi said. And like any typical kid, her first instinct was that she might be in trouble with her mom: "I told her, 'I wasn't keeping it from you,'" she recalled.

CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom explained.

But CyFi's mom, who is no stranger to DefCon, as was the case with most of the DefCon Kids parents -- many are members of the security industry or hackers themselves -- wasn't mad at her daughter. She did what any responsible hacker would do and checked in with the EFF on the responsible disclosure question. It turned out CyFi had found the same bug on multiple games, not just the one app, so the plot thickened.

CyFi and her mom then consulted with a seasoned hacker friend, who checked out the bug and found it in yet another OS. Other professional hacker friends verified it: Turns out CyFi had discovered an entirely new class of zero-day bugs across multiple tablet and smartphone operating systems. CyFi and her mom are now working on the disclosure process with the vendors.

"The mobile app world is different -- you have all these different, tiny companies making games. You don't just have Oracle and Microsoft, so that's why there were so many zero-days," CyFi's mom told me.

"This is the future. If kids can do this -- CyFi will say she's not a genius to do have done this" -- then it's a significant security issue, she said.

CyFi and her mom are way too modest. Just ask the grown-up hackers from DefCon. Now, CyFi may or may not yet fully appreciate this, but she was the recipient of some serious kudos from famed security researcher Dan Kaminsky.

"It's a cool trick, the sort of thing you'd do if you didn't know it shouldn't work. If that's not hacking, I don't know what is," Kaminsky told me. "It's legitimately cool work. We've known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence. Attacks against system clocks are also occasionally effective, though usually by slowing the clock down to keep a cryptographic token alive, or resetting time entirely to allow a token to be revived.

"Time acceleration is extremely rare -- I know of only one other use, and that's to locate 'phone homes' where an application or operating system sends traffic to a manufacturer, months, or years after installation.

"Seeing the 'phone home' trick used successfully against mobile games -- en masse -- is impressive, particularly since it apparently works against some online games. That's amazing: CyFi is basically then exploiting server trust of a client variable, which has a full user experience for alteration," Kaminsky said.

CyFi isn't old enough to be on LinkedIn yet, but man, would that be a great endorsement.

Still, I have to admit I was at first a bit uneasy when I heard about DefCon Kids. Bringing kids to Vegas just doesn't seem right (I did it once en route to the Grand Canyon -- don't ask), even though you see families everywhere, schlepping their kids as far around the perimeter of the casino floor as they can, or playing in the pool at Caesars alongside the Margarita-slurping bathers. You really don't want to explain those "business" cards getting shoved in your face on the Strip. Nor do you want them completely exposed to the hard-core side of the DefCon culture. One session I attended must have used the "F" word about 40 times, for example, and beer-cooling contests and smoking areas just aren't kid-friendly, even if they are mostly on the patio of the convention center.

Even so, DefCon Kids won me over: It was all about teaching kids to protect themselves and perform critical thinking and decoding. Parents were required to stay with their kids, and there were cool classroom events, workshops, and even a pint-sized Social Engineering Capture the Flag (CTF) contest that was basically a scavenger hunt. Here's to hoping teaching good hacking and how to protect yourself online to kids will develop more CyFis out there rather than teenage trolls.

CyFi's hack even made longtime hackers nostalgic.

"It reminds us old, jaded people why we got into this from the start," Dan Holden, director of HP DVLabs, said. "Some of us have been doing this since we were teenagers, and we kind of forget why we got into it."

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) here on Twitter.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights