Nintendo acknowledges having corrected a serious security problem on the Switch, the 3DS and the Wii U. A flaw allowed hackers to take control of the consoles remotely, simply by playing online with very popular games…
We can never stress enough the importance of updating our devices, software and applications, including years after their release! Throughout 2022, Nintendo has quietly fixed a dangerous security flaw in several cult games on 3DS, Wii U and Switch. Dubbed ENLBufferPwn and discovered by hackers PabloMK7, Rambo6Glaz and FishGuy6564, it allowed a pirate, when playing online with his victim, to execute arbitrary code on his opponent’s console, without the player’s consent. It has since been patched on affected games by Nintendo – but the authors of the discovery fear it may be present in other games that have not yet been discovered. And the consequences of such a hack can be very serious…
Here is ENLBufferPwn (CVE ID pending), a severe vulnerability in many first party 3DS, Wii U and Switch games. It allows remote code execution in a victim console by just having an online game session with an attacker.
Vulnerability report: https://t.co/QbvXKQLeDf
(1/7) pic.twitter.com/4qewU5YQ9x—PabloMK7 (@Pablomf6) December 24, 2022
Hacking Switch: hackable cult games online
As PabloMK7 explains on Twitter, this vulnerability, combined with other flaws in the operating system, allowed remote code execution in a console by simply having an online gaming session with the hacker on the affected games. . He could then perform more or less serious actions depending on the game, “ranging from simple harmless changes to game memory (like repeatedly opening and closing the home menu on the 3DS) to more serious actions like taking full control of the console”, explains the hacker. Takeover that allowed him to access the microphones and cameras of the console – and therefore take recordings without the knowledge of the victim – as well as confidential payment information. No wonder CVSS V3 Calculator, a system that ranks vulnerabilities based on how dangerous they are, gave ENLBufferPwn a severity rating of 9.8 out of 10!
Here is the list of multiplayer games affected by the flaw:
- Mario Kart 7 on 3DS (fixed)
- Mario Kart 8 on Wii U
- Splatoon on Wii U
- Animal Crossing: New Horizons on Switch (fixed)
- ARMS on Switch (fixed)
- Mario Kart 8 Deluxe on Switch (fixed)
- Nintendo Switch Sports on Switch (fixed)
- Splatoon 2 on Switch (fixed)
- Splatoon 3 on Switch (fixed)
- Super Mario Maker 2 on Switch (fixed)
Note that the titles Mario Kart 8 and Splatoon on Wii U have not yet been patched and it is unknown if any updates are planned. Other games could also – and even certainly – be affected by the flaw – we may still hear about it. For having helped the Japanese firm to discover it, Pablo MK7 indicates having received 1,000 dollars. “I would also like to thank Nintendo for giving me the opportunity to collaborate in the discovery and investigation of this vulnerability, and for devoting resources to fixing it in older titles. I hope these actions have helped create a safer online gaming environment.” he concludes.