Nintendo Switch Hacked Via Built-In WebKit Exploit

Nintendo’s Switch has shipped with months-old bugs in its WebKit browser engine that open it up to hacking through the use of arbitrary code execution.

Twitter user and security-cum-hacker specialist ‘qwertyoruiop’ posed a screen shot on the social media network demonstrating the proof-of-concept hack in action.

The Nintendo Switch has only be out for a mere two weeks, yet seems to have attracted the attention of people with the tenacity and digital skills to explore how the hybrid games console can be pushed beyond its normal capabilities.

Switching things up

Such a code injection hacks have been known to cause havoc in the past with the ability to hijack devices such as smartphones and enable malicious actors to steal data from mobile devices.

Given the Nintendo Switch, at the moment, does not present a platform that encourages users to part with a swathe of personal information, contact details, emails and messages, performing a code injection attack on the console is not likely to yield much in the way of valuable data.

And the WebKit browser engine on the console simply acts as a means for interacting with public Wi-Fi hotspots as opposed to providing a web browser for users to navigate the internet with on the device, without putting in a significant amount of effort.

But by setting up a proxy server between the Switch and a public Wi-Fi connection, the hackers can intercept data running from the switch to the network. Normally, WebKit is used to direct Switch users to a captive portal, a web interface used to authenticate and log-on to public Wi-Fi, but once the Switch is connected to a proxy server, hackers can create their own captive portal to establish a connection to the Switch and begin to exploit the WebKit vulnerability.

The flaw in question is the CVE-2016-4657 bug, which was commonly used to carryout arbitrary code injection on iOS devices before it was patched out. As such, hackers can exploit this flaw in the Switch and potentially pave the way for jailbroken consoles and possibly allow for so-called ‘homebrew software to be run on the Switch. However, the bug does not lead to kernel access so the depth of the exploit and the ability to tweak a swathe of the Switch’s setting is not yet possible.

Furthermore, to really get into the Switch and work WebKit to their advantage, hackers need to have an in-depth knowledge of the CV-2016-4657 bug, as putting it to use Is a complex process. As such, large numbers of Switch hacks are not likely to been seen using the technique found by qwertyoruiop.

Given the Nintendo Switch will have had its production finalised likely before the bug was fully reported and fixed, it is not too surprising that the WebKit exploit is present, though Nintendo will likely move to patch it before hackers find any nefarious ways to really crack into its flagship games console.

Quiz: Are you a security guru?

Roland Moore-Colyer

As News Editor of Silicon UK, Roland keeps a keen eye on the daily tech news coverage for the site, while also focusing on stories around cyber security, public sector IT, innovation, AI, and gadgets.

Recent Posts

TikTok Viewed As Chinese Influence Tool By Most Americans – Poll

Most people in the United States view TikTok as a Chinese influence tool a poll…

4 hours ago

Ofcom Confirms OnlyFans Investigation Over Age Verification

UK regulator confirms it is investigating whether OnlyFans is doing enough to prevent children accessing…

4 hours ago

Ex Google Staff Fired Over Israel Protest File NLRB Complaint

Dismissed staff file complaint with a US labor board, and allege Google unlawfully terminated their…

6 hours ago

Tesla Axes Entire Supercharger Team, Plus Senior Executives

Elon Musk dismisses two senior Tesla executives, plus the entire division that runs Tesla's Supercharger…

7 hours ago

Microsoft, OpenAI Sued By More Newspaper Publishers

Eight newspaper publishers in the US allege Microsoft and OpenAI used their millions of their…

8 hours ago

Binance’s Changpeng Zhao Sentenced To Four Months In Prison

US judge sentences Binance founder, Changpeng Zhao, to four months in prison for ignoring money…

11 hours ago