Nintendo targets 3DS vulnerabilities in new bug bounty

Nintendo has announced it’s now supporting a bug bounty program for researchers to find flaws in its 3DS family of handheld game consoles. Researchers could make up to $20,000 for discovering vulnerabilities for the 3DS that could be used for pirating games, enabling cheats, or distributing “inappropriate content to children”.

Nintendo’s 3DS is the latest incarnation in a series of handheld consoles from the manufacture over the years. The 3DS consoles have internet connectivity, which is intended to help gamers shop for new games, connect with other friends using the 3DS, and surf online with a built-in browser.

And where there’s internet connectivity there’s an attack vector, right? Though the internet connection may seem like a no-brainer target for the bug bounty, most of what Nintendo is focusing on is actually hardware-based. Specifically, they’re targeting system vulnerabilities in the ARM9 and ARM11 chipsets, which ship with various versions of the 3DS since the console’s initial release in 2011. These vulnerabilities are generally exploited via software loaded directly to the console by SD card.

These are vulnerabilities Nintendo is especially interested in, according to its new bug bounty page:

  • System vulnerabilities regarding the Nintendo 3DS™ family of systems
    • Privilege escalation on ARM11 userland
    • ARM11 kernel takeover
    • ARM9 userland takeover
    • ARM9 kernel takeover
  • Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems
    • ARM11 userland takeover
  • Hardware vulnerabilities regarding the Nintendo 3DS™ family of systems
    • Low-cost cloning
    • Security key detection via information leaks

Like Apple, Nintendo takes a “walled garden” approach to the software you are allowed to run on its hardware. If Nintendo users want to run software that Nintendo hasn’t specifically approved, they have to get creative. On iPhones, breaking out of the walled garden is called jailbreaking; on Nintendos, it’s known as modding, using security holes to modify the 3DS’s core software to remove the restrictions that limit the device to approved software only.

That’s why vulnerabilities in the ARM9 and ARM11 chipsets are like gold dust to modders: security holes in the CPU itself can often be exploited to bypass the security checks inside the Nintendo operating system itself.

Mods that bypass Nintendo’s checks can be used for editing a game’s save files (in a word, cheating) and dumping unlawful copies of game software (in a word, piracy), but they can also be used for running software not written by Nintendo, such as open-source games and system emulators. In other cases, modders are simply working to fix what they see as bugs or gaps in a specific game’s functionality – in effect, providing their own patches.

Of course, if security researchers heed the call of the bug bounty, then at least some of the holes they find will allow Nintendo to close holes currently used for 3DS modding.

On the other hand, exploitable security holes are a cybercriminal’s dream, too, so the sooner they’re found by the Good Guys, the better.