Nintendo’s Switch has been out for almost two weeks, which of course means efforts to hack it are in full swing. A developer, going through qwertyoruiop on Twitter, has demonstrated that the console comes with months-old bugs in the WebKit browser engine. These bugs allow arbitrary code execution in the browser. A proof-of-concept explainer video has been posted here.
These bugs attracted attention last year as they were used to hijack an iPhone used by a political dissident in the United Arab Emirates; The bugs allow attackers to steal call history, text messages, contacts and calendar information and messages from apps such as Gmail and WhatsApp. The trio of bugs, collectively known as “Trident”, were revealed after Apple patched them in iOS 9.3.5 in August 2016.
The potential impact of these vulnerabilities on Switch users is low. A switch won’t hold the same amount of sensitive data as an iPhone or iPad, and there are far fewer switches than iDevices. At the moment, the Switch also doesn’t include a standalone internet browser, although WebKit is present on the system for logging into public Wi-Fi hotspots, and with some flattery you can use it to browse your Facebook feed.
The exploit could potentially open the door to jailbreaking and running homebrew software on the Switch, but at the time of writing, the exploit does not appear to provide kernel access. The developer who discovered the exploit himself say that the vulnerability is only a “starting point.”
In any case, the presence of six-month-old software bugs suggests that Nintendo’s software development practices could be improved. When Nintendo uses well-supported software projects, such as WebKit and FreeBSD to power the Switch is generally a good thing. But it also means the company needs to stay on top of upstream patches to keep its console and its users safe. Once the always hectic launch period is behind us, hopefully Nintendo can better keep up.