‘Holy Grail’ Exploit Puts Nintendo Switch Consoles at Risk

By John P. Mello Jr.
Apr 25, 2018 10:30 AM PT

Devices built on Nvidia’s Tegra X-1 mobile processor are at risk of attack from a flaw security researchers revealed Monday.

The exploit chain discovered by Katherine Temkin and a team at ReSwitched affects any device running the chip, including the Nintendo Switch gaming console and some Chromebooks.

Called “Fusée Gelée,” the vulnerability allows anyone to run code on the chip by overloading a critical buffer when a system boots.

“Fusée Gelée isn’t a perfect ‘Holy Grail’ exploit — though in some cases it can be pretty damned close,” Temkin wrote.

What makes the defect particularly nettlesome is that there is no easy way to patch it on devices that are in the hands of consumers.

Unfixable Flaw

Fusée Gelée is the result of a coding mistake in the bootROM found in most Tegra devices. The flaw can be patched before a device leaves the factory, but not after.

“This immutability is actually a good thing in terms of security,” Temkin wrote.

“If it were possible to apply patches to the bootROM after a unit had been shipped, anyone with a sufficiently powerful exploit would be able to make their own patches, bypassing boot security,” she explained.

“The bootROM is the keeper of the Jewels, and now it can be bypassed,” noted Kevin Curran, a professor of cybersecurity at Ulster University in Northern Ireland and a senior member of the IEEE.

“Hackers will be able to run code of their choosing,” he told TechNewsWorld.

Fusée Gelée likely will be more worrisome to Nintendo than to the users of its Switch consoles, maintained Nael Abu-Ghazaleh, a professor of computer science and engineering at the University of California, Riverside.

“The attack requires physical access to the console so basically the owners would be able to attack their own consoles to run arbitrary code and to potentially circumvent DRM protections or to cheat in games,” he said.

“Its the equivalent of jailbreaking your iPhone for this console,” Abu-Ghazaleh told TechNewsWorld.

Prelude to Piracy

It’s not unusual for gamers to search for vulnerabilities like Fusée Gelée so they can modify their systems, said Jean-Philippe Taggart, a senior security researcher at Malwarebytes.

“This is something that occurs to all gaming platforms,” he told TechNewsWorld. “Some enthusiasts argue that it is to enable the use of home brew games, but a significant amount of this research is usually leveraged to enable piracy.”

Owners who exploit Fusée Gelée risk not only damaging their consoles, Taggart added, but also being banned from online gaming, if Nintendo should detect a console has been modified with the vulnerability.

“Bypassing the protection mechanisms that manufacturers put in place is a neverending arms race,” he observed. “No protection implementation is perfect.”

Chip Makers Beware

What can chip makers learn from this latest quality control failure?

“They need to see this as a warning as to the practice of shipping devices with unmodifiable bootROM loaders,” Ulster University’s Curran suggested.

“Of course, there is a defense to some degree in unmodifiability, but that always presupposes that no flaws exist,” he continued,” and as we see in this attack, there are a number of smart hacker types in the community determined to find vulnerabilities.”

Fusée Gelée should alert chip makers to the need for better communication between the hardware and software sides of their business, observed Willy Leichter, vice president of marketing for Virsec.

“The silos between chip designers and software developers continue to leave big potential openings for increasingly resourceful hackers,” he told TechNewsWorld.

Chip makers also should be aware that they’re attracting more attention from hackers.

“We are seeing a lot more focus on hardware level exploits,” said Chris Goettl, director of product management for security at Ivanti.

“Most of what we are seeing is proof of concept,” he told TechNewsWorld, “but it is only a matter of time before someone figures out how to take a PoC and weaponize it for delivery in a successful attack.”

John P. Mello Jr. has been an ECT News Network reporter
since 2003. His areas of focus include cybersecurity, IT issues, privacy, e-commerce, social media, artificial intelligence, big data and consumer electronics. He has written and edited for numerous publications, including the Boston Business Journal, the
Boston Phoenix, Megapixel.Net and Government
Security News
. Email John.

You Might Also Like