Top 5 Stories


DefCon 19: 10-year-old code cracker reveals zero-day smartphone gaming security flaw

08 August 2011

A 10-year-old code cracker taking part in the first Defcon kids event over the weekend – part of the DefCon 19 event that has just taken place in Las Vegas – has reportedly discovered a zero-day flaw in the way the iOS and Android smartphone/tablet operating systems rely on the system clock.

That the coder – CyFi – is only 10 years old is notable in itself, but the flaw she has found is interesting, as it highlights the fact that the operating system on smartphones is simpler than a desktop, meaning that it has to rely on the hardware's operating system for many basic features, Infosecurity notes.

The flaw that CyFi has revealed is similar to issues seen in the very first PCs in the mid-1980s, in that, if the system clock is changed in forward direction whilst an app is loaded and running, then this can change the way the app functions.

According to the CNet newswire, CyFi has only researched the flaw on games running on the iOS and Android platforms, and has notified the games software vendors of the problem as it affects their apps.

“While many games will detect and block this kind of manipulation, CyFi said that she discovered some ways around those detections. Disconnecting the phone from Wi-Fi made it harder to stop, as did making incremental clock adjustments”, says the newswire

“CyFi's mother, who must remain anonymous to protect her daughter's identity, told CNET that at the end of CyFi's presentation at DefCon Kids they would offer a $100 reward to the young hacker who found the most games with this exploit over the following 24 hours”, adds the newswire.

CNet goes on to say that the $100 reward is being sponsored by ID protection vendor AllClearID and, says Seth Rosenblatt of the newswire, the DefCon Kids event is a reflection of the fact that members of the hacking community are getting older and raising families.

The revelation that iOS and Android apps are reliant on the hardware system clock to monitor the passing of time could have repercussions in the growing number of free apps that allow users to upgrade the software features for a period of time in return for an in-app payment, Infosecurity notes.

In theory, if the system clock of the host device is wound back as the in-app purchase time limit is reached, then the enhanced app would continue working.

This again is an issue that affected early software for the PC-DOS and Windows machines of the late 1980s and early 1990s – until, of course, the software vendors realised the potential flaw and introduced code to remediate the issue.

This article is featured in:
Application Security  •  Industry News  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×