Ten-year old hacker finds vulnerabilities in mobile games

A 10-year old California girl is the world’s newest famous hacker. Going by the name CyFi, the preteen found a way to exploit a vulnerability in numerous mobile apps by tinkering with mobile devices’ system clocks.

She presented her work at the first ever DefCon Kids conference, a new part of Defcon, the world’s most famous hacker conference. Ïn her talk, called “Apps – A Traveler of Both Time and Space (And What I Learned About Zero-Days and Responsible Disclosure),” CyFi explained that she was able to circumvent common security measures that prevent users from manipulating apps by changing their device’s system clock.

At its core, it’s one of the oldest tricks in the book. For example, imagine a piece of demo software that lets you use it for a restricted period of time. After 30 days, it locks up unless you pay for it. So why not just roll back your computer clock so the app still thinks its the day you bought it?

While tricks like that used to work, developers have long built systems to prevent that from happening, especially on mobile devices that have regular access to the Internet to cross-check the date. However, CyFi found that in some FarmVille-style task-based games, she was able to circumvent the built-in waiting process that slows users’ abilities to level up. Basically, she got bored with waiting the requisite hours to harvest her crops, and just bumped her system clock forward to trick the game.

It wasn’t quite that simple. Those mobile games, like most others, do have systems in place to prevent exactly those kinds of cheats. But CyFi, through some clever experimentation, found a combination of techniques that let her beat the system, including change the time by small bits or by disconnecting her devices from networks in between time changes.

In keeping with the spirit of the security conference, CyFi didn’t present all the specifics of her findings, nor did she name the specific apps involved. Instead, she informed the developers themselves of the issues and will hold all the details until the vulnerabilities can be fixed.