Sunday during the annual DEFCON convention (19), a 10-year-old hacker revealed a zero-day exploit in Android and iOS games. Going by the alias "CyFi," the California girl wouldn't reveal which games were affected by the exploit (for obvious reasons), but CNET reports that independent researchers have confirmed the exploit as a new class of vulnerability.
While speaking with CNET an hour before her presentation, CyFi said that she discovered the flaw back in January 2011 because she grew bored with the slow pace of farm-based games. "It was hard to make progress in the game, because it took so long for things to grow," she said. "So I thought, 'Why don't I just change the time?'"
Based on her testimony, there wasn't any real hacking involved. Instead, most of the games she discovered containing the exploit featured time-dependent factors. CyFi admitted that she didn't want to wait ten hours for a certain crop to grow, so she instead manually advanced her tablet's clock ahead ten hours – this reportedly opened up the exploit.
She then took her discovery a bit further. Typically most games will detect and block this kind of cheat, but she discovered that it was much more difficult for the game to detect her manipulation once she disconnected her device from the Wi-Fi network. Making incremental adjustments to the clock also proved difficult to detect.
CyFi's presentation was part of the DEFCON Kids, a spinoff of the popular hacker convention that allows kids to participate in demos and workshops such as learning how to open master locks, Google hacking, making electronics, social engineering, coding from scratch and more.
"There will be a workroom for kids to participate in hacking activities anytime throughout the two days, including a Codebreaking Museum, a Makerbot and the Hardware Hacking Station," reads the convention description. "The rooms are on a first-come, first-serve basis. There will also be contests just for kids, including social engineering and lockpicking."
After CyFi's presentation, the sponsors offered a $100 reward to the young hacker who found the most games with her newly-discovered exploit over the following 24 hours.