Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/19/2013
06:12 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Kid Hackers Bag Bug Bounties

DEF CON Kid and co-founder of R00tz Asylum also names the mobile apps affected by the 'Time Traveler' class of vulnerabilities she discovered two years ago

Most kids under the age of 16 spend the summer at the pool or at camp. Then there are those kids who also spend part of the school break soldering hardware circuitry, and finding and reporting security bugs in mobile apps and smart TVs.

Such is the summer of the DEF CON Kids, now under the new banner of R00tz Asylum, a nonprofit that educates kids on white-hat hacking. Now in its third year, the kid-friendly DEF CON conference held in Las Vegas earlier this month hit a few milestones with three of its pint-sized participants scoring cash bug bounties from Samsung, and others discovering more mobile apps vulnerable to the so-called "Time Traveler" class of flaws first discovered by a 10-year-old. Some 300 kids and parents attended the kids' hacking conference, and half of the parents are regular attendees of the adult DEF CON.

CyFi, 12, a co-founder of R00tz Asylum, at the first DEF CON Kids in 2011 announced that she had discovered and reported the new class of so-called "time traveler" vulnerabilities across iOS, Android, and BlackBerry mobile platforms, which basically let you restart the clock on a mobile gaming app's free trial. CyFi had stumbled onto a rare time acceleration weakness in the apps that impressed several renowned grown-up security researchers, and ultimately could let exploit code run on servers.

Since then, CyFi has continued to work the responsible disclosure process with a little help from her mom, the Electronic Frontier Foundation (EFF), and AT&T. She has also hosted her own Zero-Day Contest for fellow DEF CON Kids/R00tz attendees that has helped her detect some 120 mobile apps that are vulnerable to the Time Traveler class of bugs. According to CyFi -- who until now has kept the names of the apps under wraps -- some 20 mobile apps have now officially been fixed, but 100 others remain vulnerable.

The fixed apps include raiX UG Butterfly Farm; Phoenix Age Castle Age; and Team Lava's Zoo Story, City Story, Empire Story, Farm Story, Bakery Story, Dragon Story, Fashion Story, and others. CyFi reports that Candy Saga, Candy Island, City Friends, Fashion City, Monster Petshop, Mini pets, Mine craft lite, Pet Cafe, and Shen Games Zombie Farm, are among the 100 that remain vulnerable.

Fellow kid hackers Kryptina, zinc, xuberator, 0ldst3v3n, s0ftwire, and tb0ne all found apps with the flaws.

Meanwhile, CyFi also has been awarded her first bug bounty -- $1,000 from Samsung for finding a flaw in its smart TV during a contest at R00tz spearheaded by security researchers Aaron Grattafiori and Josh Yavor from iSecPartners. Grattafiori and Yavor earlier that week at Black Hat USA had shown how Samsung smart TVs could be abused and used to spy on their owners and viewers. While helping out with DEF CON Kids/R00tz, the researchers decided to get the kids involved, and CyFi and fellow R00tz kid participants Neil and Bryce found one Samsung App Store flaw and two bugs in Samsung's own Facebook app for its smart TVs.

Like any responsible white-hat hacker, CyFi won't reveal any details on the flaw until after it's fixed. She says she has put away one-third of her bounty award money for her education and donated another third of it to the EFF, which helped her with the legal aspect of her Time Traveler vulnerability reporting. She gets to keep the other third: "I'm not sure what I'm gonna spend it on," she says.

CyFi's pal Kryptina won this year's contest posed by CyFi for finding top-grossing mobile apps with Time Traveler flaws. "My newest research indicates that at least two of the top 15 grossing apps are vulnerable," CyFi said in her contest challenge. Kryptina found 29 of these top apps vulnerable: "We will work with AT&T and EFF to responsibly disclosure these vulnerabilities so we can name these apps next year," CyFi says.

Getting mobile app developers to fix the flaws has been a long process, especially since many of the app developers are small companies with little, if any experience, in dealing with security bugs. "The response was disappointing," says CyFi's mom, who is a DEF CON veteran. "The bug has been out there for a long time."

CyFi says she has learned a lot about the process of hacking and disclosure. "I learned that I could make money. I didn't know that before," she says. And making new friends at the hacking conference was "pretty awesome," she says.

She's now starting to code and write apps for Apple iOS, optimizing some of her favorite apps, like "My Little Pony" and others, she says. "I've been coding pretty hard," she says. "Most are little projects" so far, though, she says.

[Who says grown-ups should have all the fun with their DEF CON badges? See DEF CON Kids To Get Badges That Hack.]

Early registrants for DEF CON Kids/R00tz got badges that hack as well as a free Android tablet to use as a resource. "We're giving the compute resources to the kids and stepping back. We're handing them prerooted [tablets], and they can do whatever they want with [them]," says security expert James Arlen, who, with his 11-year-old daughter, Amelia, designed the badges.

Meanwhile, CyFi says she tries to school her friends back home who aren't security-savvy about hacking, security, and privacy, but they don't always take it seriously. "A lot of people think the government will go after you for hacking stuff," she says. "I've tried to explain" the difference between good and bad hackers many times, she says.

She gives her friends this sage advice: "If you put that [information] out there, it's going to be there forever," she says. Do they heed her counsel? "Not really," she admits.

CyFi, who is also training to become an Olympic skier and is an artist whose work has been featured in Rolling Stone, Time, and The Wall Street Journal, is now spending what's left of her summer like any other kid -- swimming.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
JamesG824
50%
50%
JamesG824,
User Rank: Apprentice
8/21/2013 | 5:09:25 PM
re: Kid Hackers Bag Bug Bounties
CyFi, I know I am old and behind the times. We are proud of you with your great knowledge of computers and white hat hacking. Keep up good work. Jim
KMBurnham
50%
50%
KMBurnham,
User Rank: Apprentice
8/20/2013 | 7:31:52 PM
re: Kid Hackers Bag Bug Bounties
Start them young. No better time to get them interested in tech.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
8/20/2013 | 6:08:41 PM
re: Kid Hackers Bag Bug Bounties
"CyFi, 12, co-founder R00tz Asylum..."

God, I feel old.
David F. Carr
50%
50%
David F. Carr,
User Rank: Apprentice
8/20/2013 | 3:16:36 PM
re: Kid Hackers Bag Bug Bounties
Cool to see kids using their powers for good, rather than cheating on their homework
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.