Hacker release proof-of-concept Nintendo Switch jailbreak

Hacker - Switch

In what amounts to an innocuous but important proof-of-concept, a hacker called qwertyoruiopz has released a pseduo-jailbreak that allows you to run arbitrary code on the Nintendo Switch. The interesting thing? Because of a bug in the browser software used on the Switch, the same jailbreak that let iOS 9 users modify their phones has been repurposed to attack the console.

The jailbreak code is available here and it primarily consists of a web server that sends over some code that will let you “overwrite anything in memory.” It doesn’t not actually jailbreak the Switch in any traditional way but instead it shows what is possible.

The exploit is ingenious. The Nintendo Switch has a hidden WebKit browser that is used when you connect to Wi-Fi using a captive portal. This means that the Switch calls up a browser whenever you are, say, logging in at a hotel or coffee shop and have to type in your email or a code. Because of this behavior — behavior that happens nowhere else in the Switch’s operating system — you can send malformed commands to the Switch and access some very basic functions.

The exploit, called CVE-2016-4657, notes that it affects “WebKit in Apple iOS before 9.3.5” and “allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site.” This is not primarily an iOS exploit but instead can affect anything running an unprotected version of WebKit… like the Switch.

Hacker - Switch - 2

To be clear, you’re not going to be playing pirated Zelda games on your Switch any time soon. Since the mass hacking of the Xbox 360 and PS3, it has been extremely difficult to release a console jailbreak or crack into the wild. While there are some very primitive and difficult tools that can let you run unsigned code or play pirated games, it’s clear the game console manufacturers have hardened their systems near perfection. Further, thanks to the proliferation of downloaded games, it’s far harder to sideload or burn disks of pirated titles for use on your modern console. After all, control of the console is how Microsoft, Nintendo and Sony make all their money.

As it stands, this jailbreak does very little, but it does open up the Switch to further inspection, something Nintendo can’t allow. Therefore, this Switch jailbreak will probably disappear as soon as Nintendo pushes an update, rendering this exploit harmless. But, as an intellectual exercise in software freedom, it’s fun to see how easy — or hard — it is to crack through layers and layers of hardened corporate code and get to the juicy center of a brand new computing device.