August 8, 2011

Hacker Prodigy Finds Zero-day Flaw In Mobile Games

A child hacker using the name CyFi revealed Sunday at the DefCon 19 conference in Las Vegas a zero-day flaw in mobile games on iOS and Android devices that has been verified by game developers as a new class of vulnerabilities.

CyFi, a 10-year-old girl from California, first discovered the vulnerability in January after she had gotten bored with farm-style games and was looking for a way to speed them up. She found that advancing the clock on a tablet or phone can, in most time-management games, open a loophole that can be exploited.

In an interview with CNET at the conference, CyFi said: "It was hard to make progress in the game, because it took so long for things to grow. So I thought, "ËœWhy don't I just change the time?'" For example, planting corn might take ten real-time hours to mature in the game. And by advancing the device's clock forced the game further ahead than it really was, which opened up the exploit.

While many games detect and block clock-based cheating, CyFi found ways around these security measures. Disconnecting a device from Wi-Fi and only advancing a clock by small amounts was enough to force the game into a state that had not been tested by game creators.

CyFi is not revealing which games the hack works on because of reasonable disclosure, thus giving the vendors of such games a chance to respond. Her hack has been confirmed by security experts.

She gave a presentation about her findings at DefCon Kids, the first meeting of its kind at the DefCon hacker conference, aimed at younger people who are interested in tinkering with hardware and software.

CyFi's mother, who remained anonymous to protect the identity of her daughter, told CNET that at the end of CyFi's presentation they would offer a $100 reward to the young hacker who found the most games with this vulnerability within a 24 hour period. The reward is sponsored by AllClearID, an identity protection company that is also sponsoring DefCon Kids.

CyFi admitted that that she was nervous about speaking at the conference of about 100 or so people about her finding, even though she has already performed a 10-minute long speech in front of 1,000 people at the San Francisco Museum of Modern Art. She said that while it was probably different publicly speaking about a topic with such a specific focus, it would be hard for her to imagine what those differences might be.

CyFi is also a Girl Scout and a state-ranked downhill skier. 


On the Net: