Our website uses cookies

Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing Infosecurity Magazine, you agree to our use of cookies.

Okay, I understand Learn more

DefCon 19: 10-year-old code cracker reveals zero-day smartphone gaming security flaw

That the coder – CyFi – is only 10 years old is notable in itself, but the flaw she has found is interesting, as it highlights the fact that the operating system on smartphones is simpler than a desktop, meaning that it has to rely on the hardware's operating system for many basic features, Infosecurity notes.

The flaw that CyFi has revealed is similar to issues seen in the very first PCs in the mid-1980s, in that, if the system clock is changed in forward direction whilst an app is loaded and running, then this can change the way the app functions.

According to the CNet newswire, CyFi has only researched the flaw on games running on the iOS and Android platforms, and has notified the games software vendors of the problem as it affects their apps.

“While many games will detect and block this kind of manipulation, CyFi said that she discovered some ways around those detections. Disconnecting the phone from Wi-Fi made it harder to stop, as did making incremental clock adjustments”, says the newswire

“CyFi's mother, who must remain anonymous to protect her daughter's identity, told CNET that at the end of CyFi's presentation at DefCon Kids they would offer a $100 reward to the young hacker who found the most games with this exploit over the following 24 hours”, adds the newswire.

CNet goes on to say that the $100 reward is being sponsored by ID protection vendor AllClearID and, says Seth Rosenblatt of the newswire, the DefCon Kids event is a reflection of the fact that members of the hacking community are getting older and raising families.

The revelation that iOS and Android apps are reliant on the hardware system clock to monitor the passing of time could have repercussions in the growing number of free apps that allow users to upgrade the software features for a period of time in return for an in-app payment, Infosecurity notes.

In theory, if the system clock of the host device is wound back as the in-app purchase time limit is reached, then the enhanced app would continue working.

This again is an issue that affected early software for the PC-DOS and Windows machines of the late 1980s and early 1990s – until, of course, the software vendors realised the potential flaw and introduced code to remediate the issue.