The Nintendo Switch has been a massive success for Nintendo, shipping nearly 15 million units to date and outselling the lifetime sales of the Wii U in less than a year. Nintendo has always worried about the system’s security — the company has refused to provide backup options for saved games because it’s terrified the capability will be abused by hackers. Now, the entire point is moot. Every single Switch ever shipped has a flaw that Nintendo literally can’t patch out of the system.
According to the hacker team ReSwitched, their attack Fusée Gelée, is:
[A] coldboot vulnerability that allows full, unauthenticated arbitrary code execution from an early bootROM context via Tegra Recovery Mode (RCM) on NVIDIA’s Tegra line of embedded processors. As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses.
Translation: Katherine Temkin and her team have found the keys to the kingdom. However Nintendo may address this in the future, there’s no fixing the Switches that have already shipped — because the vulnerability that allows this exploit to exist is a code mistake in the read-only bootrom set before the device leaves the factory. There’s nothing to be done about it once the device has left the building.
The hack is a buffer overrun attack that allows data to be copied into protected memory, where it shouldn’t have access, and allows the attacker to run arbitrary code. Ars Technica notes that forcing a Switch into USB recovery mode is potentially difficult — except that there are methods, including specialized devices, that can perform this task simply and on demand.
On her page, Temkin notes:
[Fusée Gelée isn’t] a perfect, ‘holy grail’ exploit– though in some cases it can be pretty damned close. The different variants of Fusée Gelée will each come with their own advantages and disadvantages. We’ll work to make sure you have enough information to decide which version is right for you around when we release Fusée Gelée to the public, so you can decide how to move forward.
Nintendo’s decision to prevent saved game backups on the Switch was consumer-hostile to start with. Now, security breaches like this make it nonsensical. Every single Switch in-market today can be hacked, full-stop. It’s true that these kinds of hacks can also be used to facilitate piracy (something Temkin notes in her FAQ), but by refusing to provide valid solutions for capabilities gamers want, Nintendo pushes more people towards piracy in the first place.
In the same way that not everyone who jailbreaks a phone wants to steal software, not everyone who jailbreaks a Switch wants to pirate games. Oftentimes, especially with a mobile system, people want to backup games they’ve already poured hundreds of hours into. Whatever marginal utility locking down saved games solved, it’s over now.
One more thing to keep in mind: Nintendo may not be able to prevent the hack, but it’s possible they will take action to lock Switches compromised in this fashion from connecting to Nintendo servers or using Nintendo services. Keep a careful eye on how the situation develops before committing to anything.
0 comments: