The Weakest Part of Every System...

In the movies it is popular to portray computer hackers as these happy-go-lucky nerds who are mainly interested in whether they can do something rather than whether than should do something. In the movies they typically get in over their head, or go up against a rival hacker gang and… get in over their head.

In the real world, it’s hard to say that computer hackers are the same as the way they are portraid in the movies - at least the movies I remember. Sure, they are smart folks. But more often than not, at least for the vast majority of the hacking attempts, they are looking to exploit people to get access to their personal information so they can sell it to another bad actor who will then try to profit from having that information. Oh, and most of the time, hackers are targeting the weakest part of every system - human beings!

This story starts with an honest attempt at good parenting. In 2021, with all of the modern technology, and a year into a global pandemic, screen time is something that we all have likely had too much of, including my children. As I am in “the industry,” I try to stay one step ahead of my kids to ensure that I can minimally observe what they are doing on their devices and, especially, online. Occasionally that means limiting screen time in one fashion or another.

I have several tools at my disposal. The main, nuclear option is to just shut down WiFi. And the WiFi setup that I have invested in allows me to cut off network access to individual devices simply by setting up a schedule or tapping a button on my phone. It is, admittedly, somewhat gratifying to have something that I can use as leverage over my kids to which they always respond! A slightly less nuclear option is afforded me by virtue of the fact that we have bought into Apple’s wall garden, hook, line, and sinker, to where every device in the house, almost to a pixel, is an Apple product. Due to this, I can setup all of the devices that I purchase in my “Apple Family” where I can use tools like Screen Time limitations and schedules.

All of these tools are in place - all of the threats capable and respected. Of course, all of the threats are seen as opportunities for young minds to circumvent…

Mirelle hasn’t yet reached an age where it is a big concern. She still occasionally plays with “real toys” in meat space and ditches the screen altogether without us even prompting. Quinton, on the other hand, lives online. His primary vices are XBox Live (or XBox Network these days, I suppose) where he plays for hours on end with his friends. When he’s not on the XBox, he’s typically on his iPad firing through TikTok, Twitch, YouTube, or, if we force him, Netflix or Hulu. He is always online!

My setup has schedules on first the apps that can be used, the on network access entirely. iPad apps shut down at 9:45 on school nights and network access shuts down at 10:05. Towards the middle of the pandemic, I was surprised to walk in on Quinton at 10:15, happily watching Twitch after all of my limits had been exceeded… Huh…

Well, since I’m “in the business,” I decided not to confront him, but to do some research instead. I was impressed on one hand - he had found ways around my rules. But at the same time, I was curious, and somewhat furious.

The first thing to solve was how he was circumventing my network restrictions. That should have been the more fool proof limit, so it was slightly more impressive that he was able to get around it. After a little investigation (and after asking him), I found out that he had connected to a neighborhood XFinity WiFi Hotspot. This is something that Comcast enables by default on all of their equipment in an attempt to “blanket the country” in WiFi signals. I always turn it off, but I can’t control what our neighbors do. So, easyish way to plug that hole, I changed our password to Xfinity (you have to login to access it in most cases) and removed the connection profile from his device.

Several nights later, I again noticed that Quinton was on his device after 10:00. This time the network was not disabled - he had somehow negotiated that we turn off the restrictions so he could download a game or something… But the app restrictions should still be in effect. Now, the way that Apple’s screen time restrictions work, Quinton can request to have access to applications outside of the scheduled time, but it has to be approved, either on his iPad or by either Jenny or I by entering a PIN that only Jenny and I knew. I knew that he hadn’t asked for more screen time for us to approve, so I surmised that he must have somehow obtained the passcode and entered it himself.

A little more research and I had 10 ways that kids were able to circumvent Apple’s limits. I was able to close a few of them, but the rest involved sneaky ways kids were able to obtain the passcodes - the most creative was by enabling screen recording and asking a parent to enter the passcode.

So I started experimenting. I changed the passcode and instructed Jenny to NOT extend time on his device, but instead to force him to request the time and approve it on our own devices. That worked for awhile, but again, a couple of weeks later, using the device after hours.

At this point I wasn’t even mad, I was just curious. So I asked him - how was he cracking the code? Did he have access to some kids only site that traded in screen time passcodes somehow obtained through the dark web? I was curious. So I kept asking him, bargained with him. I’m not embarrassed to admit that I offered up the promise of extended screen time in exchange for the information that was driving me crazy! He told me that he guessed it! Putting together clues from our family, he just “randomly” started entering birthdates and the passcode worked, so he used it! I knew this was nonsense… Quinton barely knows his own birthdate, but he insisted that he somehow guessed it based on social engineering.

I had one more hunch. I changed the passcode again, and this time, I did NOT tell Jenny what the passcode was. I was single threading screentime through myself. Sure enough, no more late night access was occurring. At some point, Quinton admitted what his plot involved. He would ask for more screen time, demand that Jenny enter it on his iPad since it is, “so much harder to request it and to enter it on your phone,” then he would watch her enter the code and memorize it! I can’t say I was mad. In fact, I was impressed, and am now given a cautionary tale to use in interviews and security talks for the rest of my career. The weakest part of any system is the humans that implement them. A clever person, or even a meathead teenager can easily exploit it with little to no effort.

There is a corollary to this story. Jenny also maintains a very easy passcode to get into her devices. One day, the kids found out that Apple allows a shortcut to extend screen time - one where the PIN is bypassed entirely. I use it all the time, to be honest, and I’m guessing Quinton observed me doing it and, put it together with the information that Jenny’s phone is easy to get into, combined that information to again circumvent the screen time issue. Now he just finds Jenny’s phone, enters her absurdly easy passcode, then uses the shortcut to grant him time. The only thing he has to contend with is me being quicker to hit the “deny” option before he can complete his scheme…