Five-Year-Old Boy Hacks His Xbox One

By on Apr 10, 2014

For most five year-olds, rule breaking usually consists of jumping in puddles and staying up past bedtime. Not so, for Kristoffer Von Hassel, the son of San Diego security researcher Robert Davies.

You see, young Von Hassel managed to discover a major security flaw in the Xbox One gaming console on his own, and Microsoft, the company producing the Xbox One, has taken notice.

Von Hassel discovered he could access his father’s Xbox Live account—a premium feature that connects users to the Internet with other users—and play games outside of his age range simply by plugging in a wrong password and then pressing the space bar several times on the next password prompt. Apparently those seven spaces could act as a backdoor to any account. Computer programmers often build hidden backdoors into software applications so they can fix bugs. If hackers or others (in this case, Von Hassel) learn about a back door, the feature may pose a security risk.

At first, according to local television station KGTV, young Von Hassel was elated he could finally play his father’s games, but he later worried his parents would discover the misdeed and that Microsoft would “send its agents to confiscate the compromised console.”

His parents eventually caught him playing a game they knew he wasn’t allowed to play. But instead of sending him off to his room, they publicized his hack, as any security researcher parent would be inclined to do.

“How awesome is that!” father Robert Davies told KGTV. “Just being five years old and being able to find a vulnerability and latch onto that. I thought that was pretty cool.”

And Microsoft didn’t come to steal Von Hassel’s gaming console, either. Microsoft sent Von Hassel four free games, a $50 gift card, a free year of Xbox Live Gold and credited him as an official security researcher. Not a bad haul for a five-year-old.

Microsoft has since squashed the bug, but the incident does highlight an important point: a lot of Internet-connected devices, like the Xbox One for example, may not have the necessary security standards built in to keep your information safe. The Internet of Things (IoT)—the idea that most “things,” from automobiles to fridges and everything in between, will one day connect to the Internet—doesn’t quite yet have the security standards in place to keep your information secure. As more and more devices emerge with Internet connections, security researchers and manufacturers must keep up with this pace of innovation.

Without security standards to match the rate of device connectivity, gaps in security will happen. Take, for example, this proof-of-concept attack on Smart TVs, which allowed the hackers to take control of a Smart TVs’ camera and microphone, enabling hackers to monitor any browsing and chat history on the device. And more recently, LG’s Smart TVs were caught leaking viewing data without the owner’s knowledge.

So what can you do to protect your data and IoT connected devices from suffering this fate? Well, here are a few tips:

  • Set unique passwords. Setting unique passwords for your devices, whether it’s Xbox, an Internet-connected thermostat or a Smart TV, is essential. Passwords should be unique to the device, and should contain a combination of letters, numbers and special characters. It’s hard to keep track of numerous unique passwords.
  • Stay up to date with the latest software. By staying up to date with the latest software for your device, you protect yourself from security bugs that could cost you a pretty penny further down the road. In this case, Microsoft patched Von Hassel’s bug pretty quickly, thereby protecting millions of Xbox Live accounts, which cost $60 a year.
  • Protect your mobile devices. Xbox Live, Microsoft’s premier online service for Xbox owners, also has a mobile app. While this may seem inoffensive to most, it does pose a security risk. What happens to your subscription if your mobile device is stolen or if you’re the victim of a phishing attack—and valuable information pertaining to your account is obtained by hackers? Protect your mobile device with McAfee LiveSafe™ service or if you already have your computers covered, then protect your mobile devices with McAfee® Mobile Security for iOS and Android. Both include device tracking and remote data wiping to help keep your data out of the wrong hands.

Gary Davis

About the Author

Gary Davis

Gary Davis was previously McAfee's Consumer Security Evangelist providing security education and advice to businesses and consumers. He is a sought-after speaker on trends in digital security, appearing at conferences and events, as well as security and consumer lifestyle broadcast outlets and publications such as ABC, NBC, FOX, the Wall Street Journal, USA Today, Money ...

Read more posts from Gary Davis

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to McAfee Securing Tomorrow Blogs