back to article 10-year old hacker finds flaw in mobile games

A 10-year-old hacker has won the admiration of her adult peers for finding a previously unknown vulnerability in games on iOS and Android devices. The young girl, who has adopted the hacker handle CyFi, discovered the timing related bug after she got bored with the slow progress of a FarmVille-style games. For example, crops …

COMMENTS

This topic is closed for new posts.
  1. jubtastic1
    Headmaster

    Hacker?

    Changing the clock is hacking now? Really?

    1. Kurgan
      Thumb Up

      Yes, it is.

      Yes, setting the clock forward to gain an advantage in online gaming is a (simple) hack. If you can make the program behave in an unintended way, you are hacking it. It is hacking as is setting the clock backward to fool "trial" software into a "forever trial" status, for example. Easy, stupid, but still a hack.

      1. Charles Manning

        Well then my son trumps her, and my cat too!

        When he was a few months old my some would mash on the keyboard causing DOS to get hung up. The cat jumped on a keyboard and did this too.

        Both caused the software to act in unintended ways.

      2. Anonymous Coward
        WTF?

        No, It's Not.

        "Yes, setting the clock forward to gain an advantage in online gaming is a (simple) hack. If you can make the program behave in an unintended way, you are hacking it. It is hacking as is setting the clock backward to fool "trial" software into a "forever trial" status, for example. Easy, stupid, but still a hack."

        No, it is a "bug exploit". Alternatively it is a "clever yet unintended use of game mechanics".

        Hacking involves gaining unauthorized access and/or inserting your own code.

    2. Tom 13

      Changing the clock no.

      Repeatedly changing the clock in small increments so as to circumvent a programmatic method implemented to stop the abuse, yes. Just because it is simple doesn't mean it isn't a hack. In fact, if you go all the way back to the earliest definition as in "an elegant hack" the simpler and more obvious but not thought of, the better.

    3. Anonymous Coward
      Anonymous Coward

      By this logic

      Taking advantage of any implementation glitch in a game would be a hack. Changing the system clock to gain advantage in Farmville is not all that different from skipping most of Ravenholm in HL2 with physics tricks or taking advantage of disappearing sprites in Duke Nukem 3D -- something around when I was ten -- to beat the Cycloid Emperor with very little effort. It shows that you've spend plenty of time playing the things, are reasonably intelligent or at least observant and inquisitive, and have some vague idea of how they work. It is a hack in the sense that you are playing the game in a way unintended by its creators, but it hardly makes you a hacker or your "hack" news. Nonetheless, good going for the ten-year-old and good going for DefCon. Maybe their outreach will interest at least a few more kids in considering careers which are vaguely useful.

  2. Loyal Commenter Silver badge
    Facepalm

    Previously unknown?

    Previously unpublished perhaps, along with a lot of other trivial things. It's a bad programmer who trusts the user's system to tell the truth about such things as the system time.

    Having said that, I have a number of instant messages sat on Skype which appear to be from the future because I reset my PC's BIOS and failed to notice that the clock setting was in 'merkin format (mmddyyyy) until I'd been using it for a few hours. I mean seriously, who came up with that? It's like telling the time with the seconds between the hours and minutes. And honestly, why does Skype not timestamp messages with a server time?

    1. Anonymous Coward
      Anonymous Coward

      They say tomayto, you say tomahto

      It's because Merkins say a date as "January first" while we Limeys says "The first of January".

      The irony of course is that Independence Day is "The Fourth of July".

      El Reg readers know that the Americans are right to put month before day, it's just that they have the year position wrong.

      1. johnnytruant

        ah, but

        Us 'ere Limeys also say "ten past five" for a time, but we don't write it as "10:17"

        1. Anonymous Coward
          Happy

          I would hope

          "Us 'ere Limeys also say "ten past five" for a time, but we don't write it as "10:17""

          <sarcasm> I would hope that we don't write "ten past five" as "10:17". I'm kind of hoping that we write "ten past five" as "5:10". </sarcasm>

          Of course, I might have just been doing it wrong all these years.

          1. ArmanX
            FAIL

            @I would hope

            "Ten past five" -> 5:10 PM -> 17:10 -> 10:17

            Is there a "failed to spot the joke" icon?

            1. Tom 13

              If the joke needs explaining, it failed.

              Frankly, until I read your post I had no idea what the hell he was trying to say.

          2. Anonymous Coward
            FAIL

            oops!!

            > <sarcasm> I would hope that we don't write

            > "ten past five" as "10:17". I'm kind of hoping

            > that we write "ten past five" as "5:10". </sarcasm>

            *woosh* !

      2. Michael Dunn
        Happy

        Irony

        Ironically, the Merkins still have "Coroners"!

    2. Citizen Kaned

      yet.....

      you can get free extended demos in some apps (on PC) by setting the clock forward a few years when you install then resetting back to normal after installation.

      "you have 34563 days left before the demo expires" :)

    3. Anonymous Coward
      Anonymous Coward

      Re 'merkin date format

      Be glad you only had some messages from the future. After a similar incident my anti virus software kept violently knocking my head for being totally out-of-date...

  3. Anonymous Coward
    FAIL

    Erm...no?

    This is not a new discovery. The wife and her family have been doing this for yonks to cheat this kind of game. Saying a 10 year old discovered it seems a bit late.

    Also, this isn't a "vulnerablility". It is a flaw in the game to prevent cheating, but i can't see it as an attack vector.

    1. Marvin the Martian
      Mushroom

      I prefer the BBC News version of this article.

      On the BBC it was implied that this would let arbitrary code be run on the system...

      http://www.bbc.co.uk/news/technology-14443001

      (As for the comment above that it indeed is "hacking" in an online game -- note that its obviously NOT an online game here, as that kind of trickery is checked against... it only worked "if shutting down wifi" etc.)

    2. Blank Reg

      Ancient hack

      This goes back at least as far as the dawn of personal computers, it's not new at all.

  4. Kurgan
    Mushroom

    Now, if she could find a way to nuke farms...

    Now, if she could find a way to nuke farms (from orbit, eventually) I'd sign up to farmville just to nuke my friend's farms and make them stop bothering me with "please click here to give me more cows" idiocy.

    1. Graham Marsden
      Boffin

      Nuke Farmville!

      Erm, if you mouse over one of those messages and click on the little X which appears in the top right of the message you get a box that lets you "Hide all from Farmville".

      Bravo, you've just nuked all Farmville messages!

    2. Tom 13

      If you can't be arsed to fix the settings on your Facebook profile,

      don't bitch at me for your own idiocy.

      Whether this means just blocking the postings like a geek, or unfriending the people who send you the messages is entirely up to you. Or perhaps you should go in and remove yourself from the game settings. Because the last time I checked, I'm limited to 50 messages to people for a given session, and I sure as hell try to make sure I'm getting something back for the messages I'm sending. Which means they only go out to people who are listed in the game as playing the game.

  5. Ian Yates

    Quality of tech reporting

    At least you didn't stoop to the Beeb's coverage of screaming of the doom of this "security flaw".

    I was impressed until I read the detail and realised that I'm sure I did similar things to this in the days when software came with 30 day trials.

  6. Shane8
    Meh

    lol

    i remember doing the same way back and seeing:

    [Software Name] 30 day license will expire in 60 days.

    Is it really hacking through? Doesn't web games like farmville use the servers date/time also (never used, dont play on using)

    1. Anonymous Coward
      Happy

      I have a trial copy of PSP4.0 on my machine...

      ..says 'You are on day 1481 of your 30 day evaluation period'.

      1. Trygve Henriksen

        Doesn't count...

        That version had a non-working expiry function...

  7. Andrew Moore

    hmmmm....

    The only problem is this 'hack' existed 10-15 years before this person was born. I remember fooling '30 day test' software by setting the clock 5 years into the future before installing.

    1. Marvin the Martian

      Yes, but you were older than 10.

      The age is the news here. Soon we will have news items for youngest baby sending a txt, youngest sending a txt using T9, etc etc.

      1. Anonymous Coward
        Boffin

        Phooey

        When I was ten, I was using disk editing software to hack the text labels in program binaries. On an Amstrad.

        This both illustrates my age, and extreme geekiness...

        1. Anonymous Coward
          Thumb Up

          Ah the old days...

          Ah yes... At the same age I was rewiring the joystick port of my TI-99/4A to connect it to under carpet pressure pads I had made from tin foil, bubble wrap and bin liners, so that my intruder detection program could sound the alarm and log entry and exit from my bedroom for when my horrible little brother came to nick stuff off me. lol.

          I also "invented" a new limitless power supply for street lights for my toy cars, using bell wire, 1.5v torch bulbs and a mains power cassette recorder lead... this was slightly less successful, as shoving the bare ends of bell wire into 240v mains had the effect of vaporising said torch bulbs instantaneously. You live and learn. Kids eh!? :-D

        2. Thomas 4

          Good man!

          My first "hacking" attempts were on an Amstrad, using a curious gadget called a Multiface.

        3. andy mcandy
          Happy

          i did the same thing...

          ...but a few years later on an amiga. changed all the planet names etc on frontier:elite2 to humorous words. also the intro credits. that was pretty cool

          deksid got me into "hacking" (worked fine as long as the CRC was unchanged), which i very rarely see anymore in my professional life as a contractor. hit the hex dude!!!!! :)

          1. Anonymous Coward
            Anonymous Coward

            hacking

            i 'hacked' a football manager game on the spectrum 128 so I had a limitless cash to build my team.

            More recently (10 years ago) i created a champions league patch for the PSone emulator on PC playing one of the first versions of PES, using hexedit, I altered all the players, and built new 3d stadia by directly editing the hex to move the 3d polygons around, remember doing a new Villa Park.

      2. Anonymous Coward
        Anonymous Coward

        It's all Apples fault

        Had they released the Apple ][ earlier then I could have beat this, as it is I was doing this hack at the ripe old age of 11.

  8. Dave Murray

    Prior Art

    Like everyone else I was doing this 20 years ago to fool trial software, probably before her parents even met.

    Clever for a 10 year old to think of it though.

  9. Cocodude
    Meh

    Tamagotchi

    I'm sure I was ten when I noticed I could move the time forward to get my Tamagotchi to age to 99 years old and confuse/stun/amaze my friends.

  10. Anonymous Coward
    Holmes

    Catz

    I can't have been much older than 10 when I was messing with the clock to speed up the gestation period of virtual cats in the "Catz" PC game.

    I also took a hex editor to some of the virtual creatures, but never managed to create anything more interesting than garden variety deformaties.

    At least the Petz games had some rudimentary genetics built in. As such they were more stimulating than watching corn grow.... and always ending up with the exact same type of corn.

    Corn is a simple thing really, if you're that interested in it, surely you would set asside the space and time to grow some REAL corn? And I did that too when I was 10. Well not corn exactly, but potatoes.

    How many of these kids would still be interested in farming if you handed them a shovel?

    1. Lamont Cranston
      Pint

      I wouldn't be interested in joining an intergalactic corp of space marines,

      but this didn't put me off 40K (or Doom) as a youngster.

      Escapism, innit?

      1. Gavin King

        Escapism

        I don't know weather to be sad or happy about people wanting to "escape" and grow corn.

        On the one hand, the farmer in me says that it is a good thing, but is it really as *cool* as (say) being an intergalactic space marine?

  11. maclovinz
    Happy

    How I hacked XP

    That's how I hacked XP!!!!

    Woohooo!!!! I'm in the ranks of 10-year-olds...

    I did this when I was 5 sometime on my Apple IIgs, does that count?

  12. Anonymous Coward
    Anonymous Coward

    Re: Hacker?

    @jubtastic1

    Making a trivial change to produce a unexpected result furthering one's aims is pretty much the definition of "hack".

  13. Law
    Go

    *repeats similar posts to above re: not that shocking, we've all done it, but

    The hack isn't the story here, the impressive thing is that she notified the developers before posting... at aged 10 I probably wouldn't have given a crap about the software authors and wouldn't have any real idea of how it would affect them had I posted the hack.

    1. Anonymous Coward
      Facepalm

      clue at the end...

      "The 10-year-old presented her findings last weekend in Las Vegas at the very first DefCon Kids, the new pint-sized campaign conference to DefCon. "

      Methinks some adult/s may have been involved, as not many 10 year olds would be able to get themselves to a conference like this...

  14. Annihilator
    Meh

    Hack?

    As mentioned, it's not a hack. It's also not something that can ever be defended against really, unless you have a network time server for the game to check against (which this apparently doesn't). The host device's time settings are gospel.

    Unfortunately, I can't say I'd have done this when I was 10. But only because my C64 didn't have a real time clock that I could manipulate like this. Do creating my own Action Replay codes to search for the "number of lives" register count??

    1. Anonymous Coward
      Anonymous Coward

      Easy to defend against.

      I have several programs running on my server that crash if the clock changes by more than a small amount when it checks. That even means that I can't just synchronize the clock with a time server suddenly. Unfortunately, it does require the ability to approximately track the passing of time instead of absolute time. Which would mean that the game would either need to have a timer running in the background or make the user actually play for that time instead of just walking away. Alternatively, the system could provide a function that only counted clock tics and didn't care about the absolute time.

      Though, really, I find it odd that the phone lets you change your system time willy nilly like that in the first place. The clock is just too important to a number of standard functions for that to be sensible.

  15. Citizen Kaned

    why is this different...

    to when you were 5, on xmas day, sneaking into your mum and dads bedroom at 5am and setting the clock to 9am :)

    1. John Dougald McCallum
      Unhappy

      D'frent

      Yup only to get (w)hacked with a slipper behind the ear'ole for our trouble.

  16. mittfh

    If only...

    Zynga games could be hacked to allow you to do stuff without having hundreds of "friends" actively playing the games, or requiring you to part with vast amounts of real money to do anything useful.

    Those limitations quickly turned me off the "freemium" "social games", as to make significant progress requires you to have oodles of "friends", all of which are (a) online 24/7, and (b) are willing to throw real money at the games in order to buy stuff with "cash". Oh, and (c) trying to direct the output to Friend Lists is annoying - click the padlock, select customise, select Specific friend, type in the name of the friend list, click OK, click Post. G+ is soooo much easier to send stuff to specific groups of people - and if (when) they develop an apps platform, they can ensure only people who already play that specific game get spammed, that could encourage Zynga addicts away from FB. Although it would be much nicer if Zynga and any games company that either spams contacts mercilessly or runs a "freemium" service are barred from G+ :)

    Meanwhile, installing Skype on mum's Windoze box tries to persuade you to install a games platform - anything to do with their Facebook tie-up?

  17. rpjs

    Tch, kids these days

    Spending all their time indoors glued to a screen. Doesn't she know she should be out looting an Argos?

  18. Syren Baran
    Boffin

    Changing time

    equals leet haxor nowadays?

    How times have changed.

    Convert HP to hex. Search for offsets. Drink HP Portion. Convert to hex again. Look for value at previous offset. Must be arcane magic by those standards. And probably the only way to find Excalibur in Bane of the Cosmic Forge.

  19. Colin Millar
    Childcatcher

    Next gen hackers - dumblulzers

    Getting their hakz from the gamezone archive

  20. Graham Bartlett

    Definitely a hack

    It's using a vulnerability to make a program behave in a way that it shouldn't. So it's a hack. Sure it's not a hugely difficult one, or a desperately important one. But these games are networked, so being able to spoof this will push you up the rankings on the server. This makes the game less fun for other players. So players stop playing, and the company running it loses money.

    Maybe not such an issue for Farmville. But consider one of the many strategy-type games on Facebook. If you can spoof this such that 10 minutes of automated stuff will immediately land you at level 1000 and you can then go and stomp the map, that instantly destroys the fun for everyone else. Bad news for players, worse news for the company.

    Plus all these games are still at a very primitive level as far as connectivity goes. It's only a matter of time before someone ports WoW or similar to iPad, Android or some other future platform. In WoW, items *do* have monetary value, and farmers *do* make actual cash money from them. If you can spoof this so that crafting takes much less time, say, that's a big deal.

  21. Anonymous Coward
    Happy

    I dispair for today's yoof

    ...wait - no I don't. It's bloody good to see a youngster actually using their brain for once. My faith in humanity is restored...

    They'll need their brains too, if they're gonna sort out the worlds problems which we haven't been able to (population, peak oil, deforestation, biodiversity, overfishing, poverty etc etc).

    Mind you resetting the clock back 50 years would be a good way of expiring almost everyone over the age of 50, thus solving the first problem...

  22. Anonymous Coward
    Anonymous Coward

    Been there, done that.

    Some months ago I did exactly this in a particular iOS game in which you are supposed to earn a very tiny drip feed of credits over time with which to buy ingame stuff or, as most of these games do, exchange not inconsiderable sums of real money for in game credit. After setting the iOS clock to it's highest possible date (which is the year 2038), I had 1.3 million credits. I'll refrain from mentioning the game :)

    I tried it after seeing various Youtube videos for several other iOS game which reacted the same way, so this girl certainly isn't the first to find them. Possibly she's the first for this particular game, but then the article doesn't reveal which it is, for presumably the same obvious reasons I'm not.

  23. Eden
    WTF?

    WTF!! I could have been famous!!

    I've been doing this for ages including on IOS, Plants Vs Zombies Zen Garden for example.

    I just assumed it was too obvious and cases of "prior art" too numerous to claim ownership of it...but then we are talking about America I suppose

  24. Answer42

    Worried

    What if my daughter hacks me and winds my body clock back?

  25. J-Wick
    Thumb Up

    Hey old-timers...

    You know how you're always saying how back in the day computers used to be gadgets that you could play and tinker with, instead of locked-down devices for the mindless consumer? And how hours spent exploring in your basement gave you the curiosity to explore and learn?

    This is how kids do it these days. Celebrate it, don't knock it. We all share curiosity and drive but express it in different ways.

    Now get orf my lawn.

    1. andy mcandy
      Gimp

      a title

      harking back to the original topic of "hacking", the jeff minter story is great. beginning with limitations of ye olde spectrum our hero jeff got hooked

      follow the story here: http://minotaurproject.co.uk/lshistory1.php#1

  26. Sir Cosmo Bonsor

    Loving it

    Loving all the butthurt "techies" rushing in to downplay this. Feeling a little insecure in your own skills and career prospects now you have 10-year old female competition, anybody?

    1. James Hughes 1

      Nice one Sir Cosmo

      My thoughts entirely.

  27. John Jennings
    Angel

    Excellent

    Good on her.

    I wish I could get my 11 year old to try this sort of thisng.

    It might not be new, but it is in an original context. I doubt if she knew of previous exploits like this, and even if she did - she got off her arse to present it!

    Hacking starts with simple first steps - I, for one, welcome our pint sized overlords!

  28. Blue eyed boy
    Thumb Up

    When I were a lad

    about 8 years old, I figured out a procedure for working out a square root on a calculator. Nowadays of course a square root is just a single button press, but I'm talking of when calculators were hand-cranked mechanical things that could only really add and subtract. The procedure was clumsy but it worked.

    So yes, kids can come up with some brilliant ideas sometimes.

  29. Andus McCoatover
    Windows

    Bejeezus!

    10 year old lass?? She must be as bright as a button. If she thinks like that, she's a good future ahead of her, especially as the BOFH will be retiring about the time she graduates ;-)

    Yep, certainly made me feel old and withered. Think another glass of tramp-juice is in order. Or two.

  30. Old Handle
    Thumb Up

    A few thoughts

    Yes it's a "real hack". It's not original, but as long as she came up with it on her own, it's still a accomplishment. And because she circumvented an attempt to detect it, I'd say that even qualifies as a security weakness. Unfortunately, none of the articles I've read make it totally clear if these are multi-player games or not. If they are, then this is actually significant, and should be fixed. If not, it's harmless, but still an amusing discovery.

  31. Will Godfrey Silver badge
    Happy

    When I was 10

    I discovered that if the metalising on either the frequency changer or IF valves broke away from the drain wire it would cause instability. The cure was to straighten out the drain wire, scrape a bit of the red paint off (not necessary with the older grey valves) and bind the wire to it with rubber bands... OK you had to keep replacing the rugger bands.

    Was I hacking the radios? Dunno, but it was fun and got me some pocket money.

    Go Girl!

    1. Andus McCoatover
      Windows

      Grief! You're as old as me!

      Remember finding - in a ditch - an old LW/MW/SW radio that had those old wartime red-painted valves. Chassis only. Carried it home, all I needed to do was short out the power switch. Think I was a bit older, maybe 13? Used it for years.

  32. Destroy All Monsters Silver badge
    Happy

    Didn't we hack lots of hardware around the Y2K cliffs like that?

    Yes, yes we did!

  33. thataussieguy
    FAIL

    This is ridiculous

    I assume by the reference to iOS and corn taking 10 hours to grow that this little one was playing Smurfs. If you Google 'Smurf cheat' you will immediately find that every man and his dog has been playing with the clock since the day it was released (and for years prior on other games and systems). My six-year old asked me if we could use Google to make the game faster and what do you know, the answer was right there waiting for us. Not really a discovery, or a hack, is it? Regardless of her age...

    1. Anonymous Coward
      Pint

      too right

      No, just some over zealous parents wanting to promote their child for their own failings and the 'news' jumping on any old story. It certainly doesn't sound good if the story was some large sweaty middle aged man discovers flaw and posts the information on a wiki. Apologies to the man who posted the 'hack' I read about months ago. You may be neither large or sweaty.

  34. Allan George Dyer
    Thumb Up

    Not just a simple clock change...

    RTFA to all the knockers saying it's not a hack, she went further "changing the time by small increments or disconnecting devices". I don't know if she had adult help - suggesting new approaches, preparing the presentation, but she's showing a good problem-solving approach, and that is worth celebrating.

  35. meMongo
    Thumb Up

    XLNT

    Take extreme pride for your truly PROFESSIONAL handling of your discovery. Most people who fined these types of FAILS just post to their gaming buds or hack sites and don't give the honest system developers a chance to fix or mitigate the potential for system harm.

    Live long and .... (what can I say) When I was your age STAR TREK wasn't on yet, and a computer was a PERSON who calculated data. For real.

  36. Ben Rosenthal
    WTF?

    feel old

    yeah, I mean back in my day the pages of C&VG or Mean Machines were not actually full of stuff just like this.

    Now it's national news, so yeah, I feel pretty damn old and out of touch right there.

  37. Anonymous Coward
    WTF?

    erm..

    why does a ten year old need an iphone?

    1. katx5h
      Happy

      to boost her low self-esteem

      maybe she has low self-esteem like the others

  38. katx5h
    Happy

    time warp

    It is said that 50 the new 30, but with 10 year old hackers and Real Madrid signing a 7-yr old footballer, maybe 10 is the new 20. The old are trying to be young and the young old, so what does that leave the 20 and 30-somethings except, perhaps, unemployed.

  39. Anonymous Coward
    WTF?

    I think we're missing the point here

    Whether or not changing a systems time is hacking is besides the point, A 10 year old girl hacked a game!

    What the hell is a girl doing playing with computer games let alone hacking?

    Doesn't her parents have any shame!

    What's next,

    dogs and cats getting married?

    Men working as nurses?

    Ladies commanding war ships?

    It's a world gone mad I tell you

  40. Anonymous Coward
    Pirate

    hmmmmm

    Putting your clock back on a windows system isn't difficult for anyone to do, but is helpful in providing odd results. I get some emails dated in the year 1601, or 1980, 1901. UK social security gives some dates of birth out as January 1st, 1852 (system default, apparently).

    Surely it can't be difficult to obtain time strings from time servers such as time.nist.gov or ntp1.npl.co.uk (as time.windows.com has been no more for years now). As these are down for maintenance on occasion, this isn't totally foolproof either. I remember when my motherboard battery went flat and replaced it - forgetting to reset the time - then sending an e-mail dated 2004 in 2006. If this were to be used for criminal activity - how would they go on in court?

  41. Anonymous Coward
    Go

    Good behaviour

    Whether you appreciate what she's doing as hacking or not, you must admit it's a damn sight more impressive than looting JD Sports...

  42. Jolyon Ralph

    Early Hacks

    When I was in my very early teens, I realised I could add a joystick port to my ZX Spectrum by simply soldering some wires and a 9-pin D socket to the base of the Spectrum motherboard, where the keyboard connector was mounted. It was trivial to make a joystick that was compatible with the 'Interface 2' standard. Although less successful was the hole I made in the front of the spectrum case, which was carved very badly using a dinner knife heated up over my mum's cooker. Ruined the knife, and the hole was ghastly.

    A few years later on, still a teenager and proud owner of an Amiga 500, I was, out of pure curiosity of course trying to reverse engineer the image format of the image frames in the game 'Hollywood Strip Poker' After failing at that, it suddenly dawned at me that if you renamed the files such that inga01 became inga08, inga02 became inga07 etc... then if you played the game really well, naked Inga would start to put her clothes back on.

This topic is closed for new posts.