Researchers released a coldboot vulnerability in Nintendo Switch devices which allows attackers to run full unauthenticated arbitrary code execution.
The proof of concept, dubbed the “Fusée Gelée coldboot vulnerability” attack, is reportedly unpatchable on all current Switch consoles and was developed by Hardware hacker Katherine Temkin and the ReSwitched hacking team.
The flaw exists in the Tegra X1's USB recovery mode and circumvents the lock-out operations that would usually protect the chip's bootROM, according to an April 23 GitHub post detailing the exploit. The vulnerability is the result of a 'coding mistake' in the read-only bootROM found in most Tegra devices.
“As this vulnerability allows arbitrary code execution on the Boot and Power Management Processor (BPMP) before any lock-outs take effect, this vulnerability compromises the entire root-of-trust for each processor, and allows exfiltration of secrets e.g. burned into device fuses,” the post said.
Researches said the bootROM can't be modified once the Tegra chip leaves the factory. An attacker can leverage this vulnerability to copy the contents of a buffer they control over the active execution stack to gain control of the Boot and Power Management processor (BPMP) ) before any lock-outs or privilege reductions occur.
Security Architecture, Endpoint/Device Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management
Proof of concept released for Nintendo Switch arbitrary code attack
Share
An In-Depth Guide to Network Security
Get essential knowledge and practical strategies to fortify your network security.
Related Terms
BandwidthCall Admission Control (CAC)Circuit Switched NetworkCollisionDecapsulationDemilitarized Zone (DMZ)DisassemblyDistance VectorDomain NameDynamic Routing ProtocolGet daily email updates
SC Media's daily must-read of the most current and pressing daily news