Switch hacked: unpatchable exploit is a security nightmare for Nintendo
Linux already running, custom firmware in development.
Nintendo Switch has been hacked, with two similar exploits released in the last 24 hours following a complete dump of the console's boot ROM. The hacks are hardware-based in nature and cannot be patched by Nintendo. The only way forward for the platform holder in fully securing the console will be to revise the Nvidia Tegra X1 processor itself, patching out the boot ROM bug. In the short term, homebrew code execution is possible and a full, touch-enabled version of Linux with 3D acceleration support is now available.
The exploits have been delivered by veteran console hackers fail0verflow with its ShofEL2 release, and the Fusée Gelée hack from Kate Temik, which is fully documented here. According to the hackers, the nature of the exploit was fully disclosed to Google, Nintendo and Nvidia some time ago. fail0verflow was set to release its exploit on 25th April, but brought it forward once the boot ROM dump leaked.
"Choosing whether to release an exploit or not is a difficult choice," fail0verflow wrote in a blog post accompanying the release of its exploit. "Given our experiences with past consoles, we've been wary of releasing vulnerability details or exploits for fear of them being used primarily for piracy rather than homebrew.
"That said, the Tegra bootrom bug is so obvious that multiple people have independently discovered it by now; at best, a release by other homebrew teams is inevitable, while at worst, a certain piracy modchip team might make the first move. 90 days ago, we begun the responsible disclosure process with Google, as Tegra chips are often used in Android devices. The disclosure deadline has now lapsed. The bug will be made public sooner or later, likely sooner, so we might as well release now along with our Linux boot chain and kernel tree, to make it very clear that we do this for fun and homebrew, and nothing else."
Here's the team's video showing Switch running Linux, seemingly with full hardware integration of touch support. In addition to that, we've also seen a screenshot of Doom 3 running on the Nintendo portable, presumably running via Linux.
It'll take some time for a homebrew toolchain to appear that produces code that can run natively on Horizon - the name of the Switch OS - and right now, unless you're really keen on Switch Linux, there's not much utility for the exploit until the arrival of custom firmwares later on down the road. But as fail0verflow mentions in its blog, the hack will likely be used for running pirate software at some point. Unfettered access to game software also allows for modifications to take place, potentially compromising the integrity of Switch's online gaming environment. So on the one hand, this exploit delivers Linux and potentially opens up Switch as one hell of an emulation portable - but on the other, Nintendo faces a security nightmare in preventing piracy and keeping modders and cheats out of its online gaming environment.
So what happens next? Well, Nintendo and Nvidia are fully aware of the exploits available and while they cannot stop current Switch consoles from being compromised, they can attempt to shore up the OS at a software level. They can't stop the OS from being altered, but they can make it harder to reverse engineer the elements that make running unsigned code possible. Similarly, new OS-level code can be implemented in an attempt to detect hacked consoles and to remove them from online play. Unfortunately though, the reality is that any software-level fix from Nintendo can be undone if hackers put in the time and effort to roll back changes Nintendo introduces to the OS.
In the longer term, Nintendo can only lock out the hack completely by changing the Tegra X1 processor itself, patching out the bug that makes these exploits possible - and funnily enough, a new Tegra processor with a T214 designation (the standard model is codenamed T210) is referenced in the Switch 5.0.0 firmware - along with the possibility of a RAM bump to 8GB from the existing 4GB. But in the shorter term, Nintendo has its work cut out doing all it can at the OS level, in the knowledge that any measures it introduces on the console itself can almost certainly be circumvented with via the low-level access granted by the exploit.
Ultimately, as exploits go, this is something of a security nightmare for Nintendo. Options are limited in how it can respond and it almost certainly begins a game of cat and mouse between hackers and the platform holder: firmware updates issued with new security patches, followed by custom firmware alternatives that once again allow unsigned code to run. Despite the advance warning given to Nintendo, the current Switch firmware remains vulnerable - with the limited routes forward available to Nintendo, it'll be fascinating to see how it responds.