Sophos Cloud Optix
Barely two weeks after going on sale, someone has hacked the Nintendo Switch console using an old Apple iOS flaw in a browser that’s not officially supposed to be on the machine.
Welcome to the odd universe of console hacking, by which we mean either jailbreaking or, failing that, making the machine do something interesting nobody knew was possible. For each new console these days, the story always starts as a race to be the first to find a way in.
The latest honour has been claimed by a young Italian iPhone jailbreaker called Luca Todesco (@qwertyopriup) who posted an image on Twitter with the word “done” on the Switch’s screen below a laptop displaying the code used to make that happen.
He had, he said, used a modified version of his own JailbreakMe tool to exploit an old Apple iOS 9.3 flaw in the WebKit HTML rendering engine used by a hidden, integrated browser. A second individual, LiveOverflow, quickly published a proof of concept confirming the discovery, while a third research group, ReSwitched, offered their own tool.
This was unexpected. Statements by Nintendo in February suggested the Switch wouldn’t ship with a browser, something commentators immediately doubted. Without some kind of browser, how would users connect their expensive portable console to the internet through the captive portals used by hotspots?
In fact, there was a hidden browser interface that could be invoked under special conditions such as accessing a Facebook profile or – yes! – using a WiFi hotspot. So the Switch had a browser of sorts after all, just not a very useful one.
We now know this happens to be vulnerable to a security flaw that Apple fixed in an update months ago. But does the issue have any significance beyond telling us that the first Switches entered the supply chain some time ago?
The flaw in the WebKit browser isn’t on par with a full kernel jailbreak of the sort that would allow piracy or custom firmware, so perhaps not. Nintendo can also patch the issue with an update although when that might turn up is anyone’s guess.
Nevertheless, Nintendo clearly isn’t paying enough attention to problems it should have anticipated months ago. It’s not as if software flaws in browsers are surprising.
Perhaps the risk from consoles is morphing from old-style jailbreaking to “userland” attacks. In an interview with Forbes, Todesco speculated about the future potential to use Switch consoles for surveillance: “If there is a microphone you could use the switch to record and send that remotely.”
Doubtless, a small army of researchers is working on that little problem right now – just as soon as the Switch comes back into stock, that is. To quote one sarcastic commentator:
It [the Todesco hack] might actually be the first time in history that people could get their hands on a console hack more easily than on the console itself.
Wouldn’t really call it hacked. They only thing they did was redirect the wifi authentication page to something else.
The PoC I saw takes it a bit further than that. As far as I can see, by forcing their own content into WebKit, they were utlimately able to call selected operating system system functions under the guise of the WebKit process. I’m not sure quite how much you can do with the access they acquired, but if you have a vulnerability that allows you to use a remote web page to trick a program on the device to run machine code of your own choosing…
…then that’s RCE, short for remote code execution, so I think the word “hack” fits perfectly.
My 2c.
Technically speaking, an HTML rendering engine (WebKit) is not a browser. You cannot browse the web with Android’s WebView. So it’s a matter of interpretation. When Nintendo said that they wouldn’t ship a browser on the console, they most likely meant a full-fledged browser that users can actually use, not an underlying engine that some applications can use to display HTML content. I tend to agree with Nintendo on this one, and not with jailbreakers who used the word browser very loosely.
Thank you – fixed!