Researchers released a coldboot vulnerability in Nintendo Switch devices which allows attackers to run full unauthenticated arbitrary code execution.
The proof of concept, dubbed the “Fusée Gelée coldboot vulnerability” attack, is reportedly unpatchable on all current Switch consoles and was developed by Hardware hacker Katherine Temkin and the ReSwitched hacking team.
The flaw exists in the Tegra X1's USB recovery mode and circumvents the lock-out operations that would usually protect the chip's bootROM, according to an April 23 GitHub post detailing the exploit. The vulnerability is the result of a 'coding mistake' in the read-only bootROM found in most Tegra devices.
“As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses,” the post said.
Researches said the bootROM can't be modified once the Tegra chip leaves the factory. An attacker can leverage this vulnerability to copy the contents of a buffer they control over the active execution stack to gain control of the Boot and Power Management processor (BPMP) ) before any lock-outs or privilege reductions occur.