Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


01:23 PM
Connect Directly

Tween Hacker's Time-Travel Trick

DefCon Kid discovers new class of vulns

She's one of the top downhill ski racers in California, an accomplished artist, a seasoned public speaker, and she recently discovered a whole new class of zero-day vulnerabilities.

Oh -- and she's 10 years old.

I got to interview tween hacker sensation "CyFi" at the DefCon 19 hacker convention last week in Las Vegas. CyFi was there as part of the first-ever DefCon Kids conference that was held in closely guarded and cloistered rooms in the same area as DefCon.

I admit I was a little intimidated, as well as excited, about meeting a 10-year-old hacking prodigy. Would she be like Doogie Howser, or a mini super-nerd? So I had to smile when I spotted this ponytailed little girl outside the DefCon Kids room, playing keep-away with her smartphone from a fellow mini-hacker. Amen -- she was a typical little kid.

The interview lasted no more than 10 minutes -- CyFi got distracted by a massive tray of brownies that was wheeled into the room (as did I after spending 45 minutes hiking around the Rio in search of a lunch line that didn't wrap around the poker tables -- I came back empty-handed, stomach growling). This obviously very happy, bright, intelligent, and creative kid was comfortable sitting down with a reporter for an interview, and she was careful not to disclose anything she wasn't allowed to.

CyFi told me she found a bug in her favorite mobile gaming app back in January after getting bored with it. "At first it was so much fun ... but I wasn't making enough progress, so I was trying to find a way around that ... to turn the time forward on the device," she said.

So during the next few months, she shared her trick with her friends until her mom caught wind of it, in May. "My mom saw me showing all my friends," CyFi said. And like any typical kid, her first instinct was that she might be in trouble with her mom: "I told her, 'I wasn't keeping it from you,'" she recalled.

CyFi had basically found a way to restart the clock on a mobile gaming app's free trial. "She's going out of the app, and switching the time on the device, and then she goes back in her app," her mom explained.

But CyFi's mom, who is no stranger to DefCon, as was the case with most of the DefCon Kids parents -- many are members of the security industry or hackers themselves -- wasn't mad at her daughter. She did what any responsible hacker would do and checked in with the EFF on the responsible disclosure question. It turned out CyFi had found the same bug on multiple games, not just the one app, so the plot thickened.

CyFi and her mom then consulted with a seasoned hacker friend, who checked out the bug and found it in yet another OS. Other professional hacker friends verified it: Turns out CyFi had discovered an entirely new class of zero-day bugs across multiple tablet and smartphone operating systems. CyFi and her mom are now working on the disclosure process with the vendors.

"The mobile app world is different -- you have all these different, tiny companies making games. You don't just have Oracle and Microsoft, so that's why there were so many zero-days," CyFi's mom told me.

"This is the future. If kids can do this -- CyFi will say she's not a genius to do have done this" -- then it's a significant security issue, she said.

CyFi and her mom are way too modest. Just ask the grown-up hackers from DefCon. Now, CyFi may or may not yet fully appreciate this, but she was the recipient of some serious kudos from famed security researcher Dan Kaminsky.

"It's a cool trick, the sort of thing you'd do if you didn't know it shouldn't work. If that's not hacking, I don't know what is," Kaminsky told me. "It's legitimately cool work. We've known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence. Attacks against system clocks are also occasionally effective, though usually by slowing the clock down to keep a cryptographic token alive, or resetting time entirely to allow a token to be revived.

"Time acceleration is extremely rare -- I know of only one other use, and that's to locate 'phone homes' where an application or operating system sends traffic to a manufacturer, months, or years after installation.

"Seeing the 'phone home' trick used successfully against mobile games -- en masse -- is impressive, particularly since it apparently works against some online games. That's amazing: CyFi is basically then exploiting server trust of a client variable, which has a full user experience for alteration," Kaminsky said.

CyFi isn't old enough to be on LinkedIn yet, but man, would that be a great endorsement.

Still, I have to admit I was at first a bit uneasy when I heard about DefCon Kids. Bringing kids to Vegas just doesn't seem right (I did it once en route to the Grand Canyon -- don't ask), even though you see families everywhere, schlepping their kids as far around the perimeter of the casino floor as they can, or playing in the pool at Caesars alongside the Margarita-slurping bathers. You really don't want to explain those "business" cards getting shoved in your face on the Strip. Nor do you want them completely exposed to the hard-core side of the DefCon culture. One session I attended must have used the "F" word about 40 times, for example, and beer-cooling contests and smoking areas just aren't kid-friendly, even if they are mostly on the patio of the convention center.

Even so, DefCon Kids won me over: It was all about teaching kids to protect themselves and perform critical thinking and decoding. Parents were required to stay with their kids, and there were cool classroom events, workshops, and even a pint-sized Social Engineering Capture the Flag (CTF) contest that was basically a scavenger hunt. Here's to hoping teaching good hacking and how to protect yourself online to kids will develop more CyFis out there rather than teenage trolls.

CyFi's hack even made longtime hackers nostalgic.

"It reminds us old, jaded people why we got into this from the start," Dan Holden, director of HP DVLabs, said. "Some of us have been doing this since we were teenagers, and we kind of forget why we got into it."

-- Kelly Jackson Higgins, Senior Editor, Dark Reading Follow Kelly (@kjhiggins) here on Twitter.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
7 Tips for Infosec Pros Considering A Lateral Career Move
Kelly Sheridan, Staff Editor, Dark Reading,  1/21/2020
For Mismanaged SOCs, The Price Is Not Right
Kelly Sheridan, Staff Editor, Dark Reading,  1/22/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I've never actually seen the corporate ladder before.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-23
UNIX Symbolic Link (Symlink) Following vulnerability in the trousers package of SUSE SUSE Linux Enterprise Server 15 SP1; openSUSE Factory allowed local attackers escalate privileges from user tss to root. This issue affects: SUSE SUSE Linux Enterprise Server 15 SP1 trousers versions prior to 0.3.14...
PUBLISHED: 2020-01-23
Incorrect access control in the web interface in Ruckus Wireless Unleashed through allows remote information disclosure of bin/web.conf via HTTP requests.
PUBLISHED: 2020-01-23
Umbraco CMS 8.2.2 allows CSRF to enable/disable or delete user accounts.
PUBLISHED: 2020-01-23
SSRF in AjaxRestrictedCmdStat in zap in Ruckus Wireless Unleashed through allows a remote denial of service via the server attribute to the tools/_rcmdstat.jsp URI.
PUBLISHED: 2020-01-23
In Secure Headers (RubyGem secure_headers), a directive injection vulnerability is present in versions before 3.9.0, 5.2.0, and 6.3.0. If user-supplied input was passed into append/override_content_security_policy_directives, a newline could be injected leading to limited header injection. Upon seei...