One year ago at DEFCON Kids 1, CyFi released a new class of zero-day vulnerabilities called Time Traveler. The Time Traveler bug exists across all major mobile platforms. It is a mistake made by thousands of app developers. At the same time, Time Traveler is a critical bug, allowing for exploit code to run on servers. CyFi and AT&T responsibly notified app developers about the Time Traveler bug, but few have fixed the problem.
It is important that this bug be fixed and it is easy to do so. App developers just need more awareness about the importance of security. That is the point of this contest (and cuz it’s fun). CyFi loves the mobile app world and wants it to survive. If you do too, help her find more vulnerable apps and notify the developers.
Contest Rules and Hours
CyFi will be in the DEFCON Kids Workstation Room on Friday at 14:00-15:00 to show you how to find her Time Traveler bug. Kids 8-16 at DEF CON 20, you are invited to turn in vulnerable apps to CyFi in the Kids Workstation Room sometime before 17:00 on Sunday. The winners will be announced at the main DEF CON 20 Awards Ceremony starting at 18:00 on Sunday.
Thanks to support from AT&T:
1st Place: iPad plus $1000
2nd Place: iPad plus $500
3rd Place: iPad plus $100
The first 50 kids to turn in a new vulnerable app will get a limited edition CyFi Zero Day/DEFCON Kids/DEF CON 20 T-shirt.
Description of the Vulnerability:
TimeTraveler is a new class of vulnerabilities in all mobile devices caused by apps trusting the time on the device and incremental increases in goods. By controlling time, you can do many things, such as grow pumpkins instantly. This technique enables endless possibilities.
Apps Found Vulnerable at DEFCON Kids 1 and Status at DEFCON Kids 2:
• VULNERABLE – Smurf’s Village – Capcom Entertainment, credit to CyFi and Clover
• VULNERABLE – Pocket Frogs – Nimblebit, credit to CyFi
• VULNERABLE – Zombie Farm – Shen Games, credit to CyFi, Clover, and the Oday Brothers
• VULNERABLE – Snowy Farm – Gameview Studios, credit to CyFi
• VULNERABLE – City Friends – Funverse, credit to the Oday Brothers
• FIXED – Butterfly Farm – raiX UG, credit to the Oday Brothers
• FIXED – Castle Age – Phoenix Age, credit to the Oday Brothers
• FIXED – Zoo Story – Team Lava, credit to the Oday Brothers
• FIXED – City Story – Team Lavay, credit to the Oday Brothers
• FIXED – Empire Story – Team Lava, credit to the Oday Brothers
• FIXED – Farm Story – Team Lava, credit to CyFi and the Oday Brothers
• FIXED – City Story Valentines – Team Lava, credit to the Oday Brothers
• TBD – Coin Pirates – Nubee Pte Ltd., credit to CyFi and Dead Addict
Tips for App Developers:
There is a quick and easy fix to the Time Traveler bug. Games can put protection in the mobile app or a server to determine if the time has been artificially changed. There are a number of ways to do this. App developers can go to Lookout’s blog for tips to avoid TimeTravelers.
“It’s a cool trick, the sort of thing you’d do if you didn’t know it shouldn’t work. If that’s not hacking, I don’t know what is,” Kaminsky told me. “It’s legitimately cool work. We’ve known for years that games suffer security risks, for reasons of time, budget, and, to be honest, lack of consequence. Attacks against system clocks are also occasionally effective, though usually by slowing the clock down to keep a cryptographic token alive, or resetting time entirely to allow a token to be revived.”
“Time acceleration is extremely rare — I know of only one other use, and that’s to locate ‘phone homes’ where an application or operating system sends traffic to a manufacturer, months, or years after installation.”
“Seeing the ‘phone home’ trick used successfully against mobile games — en masse — is impressive, particularly since it apparently works against some online games. That’s amazing: CyFi is basically then exploiting server trust of a client variable, which has a full user experience for alteration,” Kaminsky said.
“Security experts say there is a lot more at stake than simply cheating at a child’s game. They say it is these kinds of flaws that allow hackers to run their own code, taking control of a device. While PCs normally run some type of anti-virus software, security experts worry that too many mobile devices are unprotected. And given the proliferation of smartphones and tablets in the last two years, it’s a good bet that hackers have taken note.”
CyFi, Cofounder of DEFCON Kids
CyFi is an eleven-year-old hacker, artist and athlete living in California. Last year, she released a new class of zero-day vulnerabilities in mobile apps at DEFCON Kids 1. CyFi has spoken publicly numerous times, usually at art galleries as a member of “The American Show,” an underground art collective based in San Francisco. CyFi’s first gallery showing was when she was four. At the age of nine, she performed at the SF MOMA Museum in San Francisco. CyFi’s has had her identity stolen twice. She really likes coffee, but her mom doesn’t let her drink it.
Thanks for your support AT&T and EFF!