A little over a week after its launch, a researcher has already found an old vulnerability in the Nintendo Switch which could allow remote attackers to execute arbitrary code on the device or cause a denial of service.
The flaw, CVE-2016-4657, exists in the device's use of an outdated version of WebKit and was addressed in Apple products with the release of its iOS 9.3.5 patch in August 2016. The bug was also one of the vulnerabilities exploited by the Pegasus spyware in the first stage of infection in order to gain access to web execution.
A hacker by the moniker “qwertyoruiop” was able to exploit the vulnerability in the Switch by slightly tweaking an existing “jailbreakMe” iOS Webkit exploit and removing iOS specific code from it to replace it with code for the Switch, according to a March 13 blog post.
LiveOverflow posted a video of the proof of concept showing how the vulnerability could be used to gain access to the device and said that while the description of the vulnerability makes the bug seem like an iOS flaw, it's actually a WebKit bug.
Although the Switch doesn't have a browser, researchers said that when a user connects to a wifi network which requires the user to login in a captive portal, or landing web page, it will use a browser view and load the page.
Upon tinkering with the network settings, the researchers were able to specify a proxy server from the Switch and ultimately run a proxy server from the attackers laptop that they were then able to use to monitor and manipulate the switch by redirecting the Switch to a captive portal hosted on the attacker's device.
“One way for an attacker to exploit this vulnerability would be to approach it over the wireless network, Plixer CEO Michael Patterson told SC Media. “If the attacker is able to make a connection they might then try to install Mirai or similar malware.”
Patterson said although the risk of personal information exposure may not be significant, once the device is infected, threat actors might try to turn the device into a bot and then use it in to launch DDoS, and other attacks, against other devices.
“To avoid this compromise, it might be best to stay away from the wireless functionality, Patterson said adding that its not surprising that the device had the vulnerability since all devices that connect the the internet can be compromised.
Tripwire Manager of Software Development Tyler Reguly told SC Media concerns about the flaw are minimal and that they wouldn't dissuade him from using the device.
“While vulnerabilities like this are great for hardware hackers and researchers that want to learn more about the inner workings of the device, they simply aren't realistic attack scenarios that present much risk to the end user when using the device as designed,” Reguly said. “We're talking about a browser exploit on a device that, while it contains a browser, is not designed for browsing.”
H said the only real risk to the end user is in cases where they're on someone else network or when DNS hijacking can occur.
It is unclear why the Switch shipped with known exploits unpatched in its browser or if there are plans to quickly patch the vulnerability. SC Media attempted to reach Nintendo however the company has yet to respond.