The recently leaked videos from the highly anticipated video game Grand Theft Auto VI have captivated gaming fans and horrified its publisher. But perhaps most surprising is the device the teenage hacker allegedly used to steal the game‘s data—an off-the-shelf Amazon Fire TV Stick. This relatively simple streaming gadget was jailbroken and transformed into a powerful hacking tool that penetrated the defenses of one of the world‘s most valuable video game franchises.
The Kid Behind the Stick: Teen Cybercriminal Arion Kurtaj
The individual who allegedly carried out this audacious hack is no novice. 18-year-old Arion Kurtaj of the United Kingdom is a member of the notorious hacking group Lapsus$, which has targeted major tech and video game companies like Microsoft, Nvidia, Ubisoft, and others.[Mugshot of Arion Kurtaj]
Earlier this year, Kurtaj was arrested for his part in the hacking of chipmaker Nvidia. But while out on bail, he caught the attention of rival hackers who "doxed" him and leaked his personal details online. Police then relocated Kurtaj to a hotel room with restrictions on internet access to protect his safety. Of course, these restrictions proved ineffective against the young hacker.
From his hotel room, Kurtaj used an Amazon Firestick, mobile phone, mouse, and keyboard to access Rockstar‘s systems and download over 90 videos showing unfinished gameplay and development footage from GTA VI. He even brazenly announced himself on Rockstar‘s Slack channel and demanded they contact him or he would release more data.
Inside the Hotel Room Hack
So how did Kurtaj turn an ordinary Fire TV Stick into a Trojan horse that infiltrated Rockstar‘s networks?
The Firestick runs a version of Android and can be "jailbroken" to install apps outside of Amazon‘s walled garden. With some technical skill, Kurtaj likely used the Firestick to access cloud servers and services, then pivot to Rockstar‘s internal systems.[Diagram of potential hotel room hack method]
This highlights the growing "attack surface" introduced by new internet of things (IoT) devices like the Firestick. Their capabilities often exceed their original purpose, allowing creative hackers to exploit them in unanticipated ways.
The Teen Hacker Community: Black Hats or White Hats?
Kurtaj is not the first talented teenager to use their skills to illegally access systems and data. But some ethical hackers believe youthful lawbreakers can become a force for good.
"Many prominent hackers got their start as teenagers doing unsanctioned explorations of technology before later directing those skills into careers in cybersecurity, pen testing, and more," said Joseph Carson, Chief Security Scientist at security firm Delinea. "We shouldn‘t judge curious young hackers too harshly or paint them all as criminals. With mentorship and opportunities, they can become the white hat defenders of tomorrow."
By the Numbers: Teen Hackers and Cybercrime
58% of hackers get their start before age 16, according to the 2018 Hacker Report from HackerOne.
15% of malicious hacking comes from attackers aged 16-20, per analysis by Akamai.
$2.7 million was the average cost of a data breach caused by a malicious insider in 2021, according to IBM‘s report. Insider threats are a common cybersecurity challenge.
Up to 50% of cybercrime may be committed by outsider youth hackers, according to estimates from New York University‘sernational Journal of Cyber Criminology. However, insiders at companies also remain a risk vector.
How Gaming Companies Can Beef Up Security
Gaming leaks may capture public attention, but all companies face cybersecurity threats from external hackers and even internal actors. Here are best practices gaming firms and other organizations should follow:
Adopt zero trust security models that verify all access and don‘t trust anyone by default, even employees.
Implement multifactor authentication and carefully limit access to sensitive data. Don‘t allow open access to full databases.
Monitor for suspicious insider activity and unauthorized data transfers.
Establish clear cybersecurity policies and training so employees understand how to spot potential threats.
Keep software regularly updated and quickly patch any discovered vulnerabilities.
No security is perfect, but companies can mitigate risk through layered defenses.
You‘re Being Tracked: How to Protect Your Privacy Online
While companies need to improve security practices, individuals also must learn how to protect their privacy and data. Here are tips everyone should follow in our interconnected world:
Use a VPN like Surfshark to encrypt data and mask your IP address from prying eyes. VPNs protect your online activity and identity.
Enable multifactor authentication on important accounts whenever possible. This safeguards access in case your password is compromised.
Check that apps and services only request necessary permissions and limit access to phone features. Don‘t just blindly accept permissions.
Use password managers to generate and store strong random passwords. Unique passwords prevent account breaches from spreading.
Be selective in sharing personal data online and understand your privacy settings on social media and other platforms.
Take control of your digital footprint. The above steps can help safeguard your privacy and make you less vulnerable to invasive tracking or cyberattacks.
The Stick That Broke the Camel‘s Rockstar
The hotel room intrusion of one of gaming‘s most valuable franchises makes for a dramatic tale. But it also underscores the growing cybersecurity threats that individuals, gaming companies, and all corporations face in our digital world. As more young hackers test boundaries with new skills and unconventional tools, we need an honest appraisal of how to rein in unethical activity but also redirect that talent for good. In the cyber landscape of 2023, we must have one eye looking outward for external threats, and the other gazing within.