The Nintendo Switch has been a success for the Japanese company. After the misstep of the Wii U, Nintendo is finally back competing evenly with Sony and Microsoft. However, a report by Ars Technica highlights an exploit that opens every Switch to hacking.
Yes, every single Nintendo Switch (around 15 million sold) could be hacked because of the flaw. Hacker Katherine Temkin and ReSwitched published details on the Fusée Gelée coldboot vulnerability. The team also showed a proof-of-concept for an exploit that opens the Switch to attack.
At its core, the exploit uses a flaw found in the Tegra X1's USB recovery mode. This chip's bootROM should have lock-out processes to prevent exploits, but for some reason it does not work for this flaw.
This means a hacker could use a bad length argument to push the system to “request up to 65,535 bytes per control request.” Of this, too much data passes the memory access buffer and allows the data to vulnerable to attack.
“By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur,” Temkin wrote of her discovery.
Of course, bugs happen and companies send out patches to fix them, but that won't happen in this case. Temkin says the flaw is unpatchable and cannot be fixed with an update.
“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever. Nintendo can only patch Boot ROM bugs during the manufacturing process.”
Reason for Disclosure
A hacker would need to be skilled to take advantage of the exploit, but now the method for doing so is published, people can follow it. The question is, why would a white-hat hacker like Temkin post the information on line, essentially helping people take advantage of the exploit?
She says the exploit is “notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.”