Luca Todesco, a 19-year-old Italian who has risen to prominence in the iPhone jailbreaking crowd under his pseudonym qwertyoruiop, has just proven how vulnerabilities in one massively popular piece of technology can be re-used to hack an entirely different gadget.
Todesco took a bug in Apple's WebKit browser engine that was previously used by an Israeli spy agency contractor, NSO Group, to spy on iPhones and applied it to the Nintendo Switch. He found he was able to remotely run malicious code on the Switch, as YouTube user LiveOverflow demonstrated.
How did he do it?
Though some reports claimed Todesco had jailbroken the Nintendo Switch, which would have allowed players to add their own software to the device, he was keen to point out that was not the case. His attacks are not that severe - certainly not as serious as the iOS bugs patched by Apple in September 2016. Those weaknesses were combined for attempted jailbreaks of iPhones belonging to a renowned activist in the U.A.E. and a Mexican journalist, forcing Apple to issue fixes in just 10 days. The aim of those attacks was to remove Apple's control over the device so NSO Group's Pegasus spyware could run, siphoning off information for whatever agency paid the Israeli firm, according to the University of Toronto's malware research group, Citizen Lab. (NSO Group didn't confirm or deny the allegations).
Attacking the WebKit bug on the Switch won't strip away Nintendo's control, according to Todesco, a Forbes 30 under 30 alum. It'd also be somewhat difficult to exploit, as the Switch doesn't actually have a browser. A hacker would have to intercept the Nintendo when it attempted to join a Wi-Fi network via a "captive portal," a page where a user has to login, or agree to terms and conditions. Such portals are typically found at cafes, airports or other places with public Wi-Fi networks. The hacker would then need to redirect the Switch to their own malicious portal, where an exploit of the WebKit bug would launch. And, given the limited private data on the Nintendo Switch, there's not much reason for Switch users to panic.
But Todesco told me that if those not insignificant hurdles were overcome, an attacker could do some perturbing things, such as turn the Switch into a little surveillance device. "Like, if there is a microphone you could use the switch to record and send that remotely," he said.
The young hacker had some luck with his hack too: he'd already written an exploit for the iOS bug. "I had the exploit already written basically." He simply tried it once on the Switch and it crashed the device. Just some extra tweaking was required to force the device to execute code.
It's unclear if Nintendo will patch. The Japanese gaming giant hadn't responded to a request for comment at the time of publication. Todesco believes Nintendo will issue a fix, though it may take some time to arrive. "The question is: will they just remove WebKit or patch this bug? Because actually updating WebKit often is pretty tricky."
Switch hacking tool released
Rather than cause consternation amongst the Switch's rapidly growing userbase, Todesco's escapades might be cause for excitement. That's because there's already a burgeoning Switch hacking scene, led by security researchers who want to tinker with their Nintendo systems so they can mod them and upload their own software.
Indeed, Todesco may not have been the first to hack the Switch via that iPhone bug. A group of researchers called ReSwitched released a tool on Tuesday called PegaSwitch, "an exploit toolkit for the Nintendo Switch," which takes advantage of the same WebKit vulnerability as Todesco's hack. Cody Brocious, another noted iPhone hacker who's also famous in security spheres for exposing serious digital shortcomings in hotel door locks, is one of the project leads.
"This does not currently enable homebrew software, but is built to allow other hackers to work toward that goal," the group noted on the PegaSwitch page. The ReSwitched crew's mission is to "fully document the inner workings of the Nintendo Switch, as well as hacking the console to allow homebrew software."
As Todesco noted, his hacks only open the door for future Switch jailbreaks. Switch modders are just getting started.
