Switch, a hybrid console was developed by Nintendo was released worldwide on March 3,2017. It is surely the most aniticipated product of the year! The Nintendo Switch is a versatile hybrid gaming console that easily pivots between big-screen TV and on-the-go portable.
Having such high-profile and so very sought-after device like Nintendo Switch is a risky deal as cyber criminals are always on the hunt of salient vulnerabilities in these devices to fulfill their malicious deeds No matter how strong these devices may be towards being exploited, hackers would find a way to bypass them.
Famous iOS vulnerability analyst often referred as ‘qwertyoruiop‘ has already discovered a way to exploit it. He is well known for jailbreaking some iOS versions. But here, qwertyoruiop claims that he didn’t jailbreak the Switch.
qwertyoruiop has proved that he was able to hack Nintendo Switch as he mentioned in his tweet. It contained an image of the Switch which is hacked. Developer Live Overflow has also confirmed that Switch is vulnerable to iOS 9.3 WebKit exploit (CVE-2016-4657). He had also published a demo to prove his point, by exploiting the browser in Switch using the exploit.
Apple WebKit and Nintendo Switch?
Although Switch doesn’t officially have a web browser for browsing the internet, it does have a web browser that is required for portal logins to enable internet connectivity at public hotspots. Thus, it utilizes Apple’s WebKit Engine, which is open source.
So the real catch here is that the Switch uses an outdated version of the Apple WebKit engine which actually comes with iOS 9.3. It is also vulnerable to Pegasus malware that infected the iPhone. This vulnerability was later patched in iOS 9.3.5, but surprisingly Nintendo came out to use the pretty outdated version.
qwertyoruiop, being an expert in playing with iOS 9.3 WebKit exploit, was able to utilize the old exploit. He stripped off the entire code to make it work on Switch.
Live Overflow’s proof of concept video shows the whole process in detail and also has the explanation on how this exploit works. Its also worth noting that qwertyoruiop is the same hacker who played vital role in the infamous PS4 1.76 hack!
For the hackers world, this step has made a good start to further analyze Nintendo Switch, explore it in depth.