The hacker is a 10-year-old girl who goes by the name of CyFi, according to a story from PC World. She presented last weekend at DefCon Kids, a children-oriented offshoot of the annual DefCon hacker conference that took place in Las Vegas. And the exploit she found is a pretty simple one: by messing with her mobile device’s clock, she was able to alter the in-game time in her farming simulation app (read: FarmVille or a similar game), thereby shortening the time the game required her to wait for her crops to grow. The hack works on games both on Google’s Android operating system and Apple’s iOS platform.
That’s a pretty simple exploit and one that players have been trying with games pretty much since video games and computer games have been available. It’s also one that programmers have long since figured out how to stop – which is the reason you can’t mess with your computer’s clock in order to extend a free trial of software, for example. Except, as CyFi put it, app developers are still busy feeling-out how to work in the space and not quite onto thinking about security yet. Here’s a quote from the brief for CyFi’s presentation, entitled “Apps – A Traveler of Both Time and Space (And What I Learned About Zero-Days and Responsible Disclosure)”:
The world of apps has obvious[ly] not thought about security, yet. Here is an import[ant] lesson they can learn from a Girl Scout. I’ll show a new class of vulnerabilities I call TimeTraveler. By controlling time, you can do many things, such as grow pum[p]kins instantly. This technique enables endless possibilities. I’ll show you how. Wanna play a game? Let’s find some zero-days! (Cuz it’s fun!)
While CyFi presented on the exploit she’d discovered at DefCon, she wasn’t giving away the keys to the farm, as it were. The hacker kept her method secret, she said, in order to give game developers time to fix the problems. The hack has been independently verified; CyFi discovered that there are anti-cheat components worked into apps, but they’re not very robust. After some experimentation, she was able to trick them by taking her device off Wi-Fi connectivity and by moving the clock in small increments so as not to tip off the software.
That’s a pretty simple exploit and one that players have been trying with games pretty much since video games and computer games have been available. It’s also one that programmers have long since figured out how to stop – which is the reason you can’t mess with your computer’s clock in order to extend a free trial of software, for example. Except, as CyFi put it, app developers are still busy feeling-out how to work in the space and not quite onto thinking about security yet. Here’s a quote from the brief for CyFi’s presentation, entitled “Apps – A Traveler of Both Time and Space (And What I Learned About Zero-Days and Responsible Disclosure)”:
The world of apps has obvious[ly] not thought about security, yet. Here is an import[ant] lesson they can learn from a Girl Scout. I’ll show a new class of vulnerabilities I call TimeTraveler. By controlling time, you can do many things, such as grow pum[p]kins instantly. This technique enables endless possibilities. I’ll show you how. Wanna play a game? Let’s find some zero-days! (Cuz it’s fun!)
While CyFi presented on the exploit she’d discovered at DefCon, she wasn’t giving away the keys to the farm, as it were. The hacker kept her method secret, she said, in order to give game developers time to fix the problems. The hack has been independently verified; CyFi discovered that there are anti-cheat components worked into apps, but they’re not very robust. After some experimentation, she was able to trick them by taking her device off Wi-Fi connectivity and by moving the clock in small increments so as not to tip off the software.
Talks about app security inevitably seem to lean toward the spooky, but for one hacker, finding an exploit in apps wasn’t about stealing credit card information, just fast-tracking the growth of her crops.
