10-Year-Old Finds iOS, Android Security Flaw


A 10-year-old hacker who goes by the handle CyFi has an "important lesson" that mobile phone app makers can "learn from a Girl Scout." She's found a way to cheat Android and iOS games on smartphones and tablets using a common console and PC video game exploit: the clock.

CyFi (not to be confused with DVICE's parent company, Syfy), seen above in sweet shades, discovered the loophole because of some good ol' fashioned boredom. While playing farming games and other Android and iOS titles — she isn't releasing the names of what's what to give developers time to fix the vulnerability — CyFi found herself wishing certain tasks didn't take as long. Now, simply changing the clock a great deal won't work — app makers thought of that much, and will detect such tomfoolery.

To get around this, CyFi found that if she changed the clock in small increments instead, or disconnected a device (from a network, we think, but it's unclear), she could time travel in the game she was playing. She calls this creation a "zero day."

Change of time can have any number of effects. In games such as Animal Crossing on the Nintendo DS, for instance, changing the handheld's clock would mean you'd come back to fully grown trees and crops (and, usually, weeds). Similarly, advancing the Xbox 360's clock while playing Fable 2 famously allowed players to rack up huge bank accounts, as the game allows you to collect rent from real estate you own even when the console is turned off.

CyFi's discovered exploit isn't the end of the world for iOS or Android games, but a lot of these titles do have a social component, and it could open up a whole new avenue for cheaters. It's also impressive not only given her young age, but that she found a vulnerability before mobile developers could.

CyFi presented her finding — though not all the details, so that the exploit wouldn't be, y'know, exploited — at DefCon Kids, a freshly-minted offshoot of DEFCON, the "world's longest running and largest underground hacking conference" held annually in Las Vegas. Her presentation was called "Apps — A Traveler of Both Time and Space (And What I Learned About Zero-Days and Responsible Disclosure)," in which she wrote the following:

The world of apps has obvious[ly] not thought about security, yet. Here is an import[ant] lesson they can learn from a Girl Scout. I'll show a new class of vulnerabilities I call TimeTraveler.

By controlling time, you can do many things, such as grow pum[p]kins instantly. This technique enables endless possibilities. I'll show you how. Wanna play a game? Let's find some zero-days! (Cuz it's fun!)

DefCon Kids, via The Register, via PCWorld

For the latest tech stories, follow us on Twitter at @dvice
Copyright DVICE - DVICE
Contact Us