Nintendo Switch has proven to be a resounding success for the company, outselling major consoles such as the PlayStation 4, and Microsoft’s Xbox lineup in its debut year. And with titles such as Wolfenstein II: The New Colossus and Donkey Kong Country: Tropical Freeze set to arrive soon, Switch looks set for another remarkable financial year, even though Nintendo has said in the past will be no new hardware for now. The company’s position on that could change soon though.
A newly discovered hardware vulnerability leaves millions of Switch consoles vulnerable to a total jailbreak, allowing hackers to execute arbitrary code and run custom ROMs on the device, among other things.
Discovered by hardware hacker Kate Temkin, in association with members of the ReSwitched Project, the coldboot vulnerability has been christened ‘Fusée Gelée’ and it is known to be associated with all devices using the NVIDIA’s Tegra line of embedded processors, specifically the NVIDIA Tegra X1 chip in Switch.
The team has released complete details of the severe vulnerability, proof-of-concept report, exploit execution details and mitigation measures associated with the vulnerability on GitHub, and have already sent a public disclosure notice to Nvidia and Nintendo to contain the negative impacts and contribute in the resolution of the grave security issue.
Fusée Gelée allows anyone with the know-how to take control of the Boot and Power Management Processor (BPMP) before any system-directed security lock-out happens, enabling them to execute any arbitrary code at the highest levels of privilege. They ca activate the Switch’s recovery mode and create a USB control request to deliver an additional data stack which can be executed effortlessly on the BPMP, opening the doors for installing emulators, backing up Switch games externally on a USB drive, etc.
The biggest worry is that there is no possible server-side patch that can be issued to fix the vulnerability as it is associated with the NVIDIA chips onboard, which means all Nintendo Switch units sold so far across the world are vulnerable. The only remedial step Nintendo can take is that it can embed a different security code into the system of all units which are yet to hit the market, in order to restrict the level of access one can get if the vulnerability is exploited.