If you have a Nintendo Switch gaming console, you’re going to want to listen up. As initially reported by Ars Technica, it would appear that a new “exploit chain” for Nvidia Tegra X1-based systems outlines an unpatchable process to run random code on all — that’s right, all — Nintendo Switches. Hacker Katherine Temkin and her team at ReSwitched published an outline of the Fusée Gelée coldboot vulnerability, as well as a proof-of-concept payload that works on the Switch.
The exploit takes advantage of a vulnerability found in the Tegra X1’s USB recovery mode, and somehow manages to avoid the lock-out operations that normally guard the chip’s bootROM. By forcing a bad “length” argument, a hacker could effectively force the system to “request up to 65,535 bytes per control request.” That amount of data overflows the direct memory access buffer in the bootROM, which in turn opens the data up for attack and allows a hacker to run arbitrary code.
“By carefully constructing a USB control request, an attacker can leverage this vulnerability to copy the contents of an attacker-controlled buffer over the active execution stack, gaining control of the Boot and Power Management processor (BPMP) before any lock-outs or privilege reductions occur,” Temkin wrote of her discovery. And of course, the worst part of all of this seems to be that it cannot be fixed.
“Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever,” wrote fail0verflow. “Nintendo can only patch Boot ROM bugs during the manufacturing process.”
While actually executing the exploit would take quite a bit of skill, the steps to do so have now been fully outlined, which means that theoretically, anyone who wanted to take advantage of the serious bug could do so. So why are white-hat hackers posting all of this information online? As Temkin noted, the exploit is “notable due to the significant number and variety of devices affected, the severity of the issue, and the immutability of the relevant code on devices already delivered to end users. This vulnerability report is provided as a courtesy to help aid remediation efforts, guide communication, and minimize impact to users.”
As it stands, there are about 15 million Nintendo Switch consoles out and about in the world, so it is, in fact, a serious problem. We will keep you updated as the situation continues to develop.
- Nintendo Switch vs. Xbox One: Can the new hybrid best the established console?
- 10 new characters we want to see in ‘Super Smash Bros. for Switch’
- Nintendo Switch vs. PlayStation 4: Which console should you buy?
If you have a Nintendo Switch gaming console, listen up. It would appear that a new "exploit chain" for Nvidia Tegra X1-based systems outlines an unpatchable process to run random code on all Nintendo Switches.