The Nintendo Bug Bounty: What does it mean for 3DS users?
Last night, the website HackerOne – a website dedicated to “empower[ing] companies to protect consumer data, trust and loyalty” – posted a filing by Nintendo. In this filing, known as the Nintendo Bug Bounty program, they are offering to pay between $100 to $20,000 for any information they can get on vulnerabilities within the 3DS system software. The value of any information given is decided upon by Nintendo later so there’s no sure way of knowing how much specific bits of information are worth. Here’s what they are looking for:
Below are examples of types of activities that Nintendo is focused on preventing:
- Piracy, including:
- Game application dumping
- Copied game application execution
- Cheating, including:
- Game application modification
- Save data modification
- Dissemination of inappropriate content to children
Below are examples of vulnerabilities that Nintendo is interested in receiving information about:
- System vulnerabilities regarding the Nintendo 3DS™ family of systems
- Privilege escalation on ARM11 userland
- ARM11 kernel takeover
- ARM9 userland takeover
- ARM9 kernel takeover
- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems
- ARM11 userland takeover
- Hardware vulnerabilities regarding the Nintendo 3DS™ family of systems
- Low-cost cloning
- Security key detection via information leaks
This reminded me of a saying that goes: “If you want something done right, do it yourself“. However, what if the system you’ve designed has more holes in it than a Swiss cheese? This is the current predicament in which Nintendo finds itself in. The 3DS has been cracked open beyond the point of no-return: pirates can get their games directly from the eShop, CFW on boot is a reality and virtual console injection (including GBA which Nintendo never intended for users to have) is possible. With the release of the nds_bootstrap, even the first steps towards DS injection have started with tools such as TWLoader. All of this got me wondering about the need for a Bug Bounty Program at all.
While trying to gather the reactions of the community on Twitter, I found this tweet by Smealum:
also regarding 3ds this bug bounty will likely help pirates more than harm: people will just wait for new versions and bindiff
— smea (@smealum) 6 de dezembro de 2016
As someone who has been around hacking for a while, I had a few thoughts myself but am no expert in the matter. This prompted me to contact Smealum and he found some time to answer my questions about this Bug Bounty.
Conversation with Smealum
My first question was about his tweet. The entire point of this Bug Bounty program, I assume, has to be correcting flaws that Nintendo engineers have overlooked. That being said, I asked him to expound a little on his tweet first, since I wanted to understand how this would help others more than Nintendo itself.
In the long term this does help Nintendo because fewer and fewer bugs means it becomes harder to exploit. In the short term though, it means anytime they push an update that includes a bugfix attackers can just bindiff to find out what was fixed. For example, if Nintendo released 12.0 with bounty fixes tomorrow, we’d just look at what changed between 11.2 and 12.0, and we’d be able to figure out which vulnerabilities were fixed. People actually do that on “real” targets like desktop PCs because they know updates take a while to propagate, so in the meantime people remain vulnerable to last month’s vulnerabilities. The concept here is the same, all people have to do is stay on 11.2.
This means that even with the Bounty program, it is very likely that nothing at all will change on the 3DS scene. This answer was a perfect lead-in to my second question which was related to the 3DS System Software itself: is there really anything left to crack? As I’ve stated earlier in this article, hackers have pretty much taken over every single bit of the 3DS’ hardware/software and not even hardware revisions could fix that. This is what Smealum had to say about that:
There’s really nothing left to do on 3DS other than maybe taking a hard and close look at how the back compatibility is implemented to see if there are any ways to exploit that. The main thing at this stage is keeping the latest version exploitable so that people can still run homebrew (or, for a lot of people, pirate) on the console they get for Christmas. The upcoming CCC talk will certainly help drive that point home.
Just like Yifan Lu did in an interview for Vice last month, Smealum doesn’t shy away from the reality that most people only want hacks so that they can get piracy on their systems. Whether people like me see value in game ports and original homebrew content is irrelevant. Most people want to get free games. However the topic at hand isn’t piracy, even if it is related.
This led me to my last question, which was about Nintendo itself. Are they desperate? Their constant patching of System Software on the 3DS has become so obnoxious to users it has reached meme levels. I usually make a lot jokes here on the website about Sony and their StabilityTM patches to the Vita (and PSP prior to that) but Nintendo is just as bad. Coming off as utterly incompetent isn’t probably in Nintendo’s plans for public perception so I had to ask about it.
I don’t think they’re desperate. I think they’re just finally entering the 21st century in terms of handling security and they should be given props for that; it’s a step in the right direction. I’ve expressed my lack of confidence regarding bug bounties on Twitter but on a system with relatively little churn like the 3DS it definitely makes sense. In my opinion this is more about the future than it is about the 3DS itself. I think it’s either that they’re doing this because they plan on reusing 3DS code in the future, or it’s a test run for future platforms.
In comes the Nintendo Switch!
I had considered something along the lines of what Smealum said. Maybe this is not about the 3DS, but rather about the Nintendo Switch. If you noticed, Nintendo specifically asks information on ARM9 and ARM11 hacks, both kernel and usermode. After doing some digging I found this little tidbit about the Switch on the nVidia website:
Nintendo Switch is powered by the performance of the custom Tegra processor. The high-efficiency scalable processor includes an NVIDIA GPU based on the same architecture as the world’s top-performing GeForce gaming graphics cards.
After looking around some more, I found more specific information on the Tegra familiy of SoCs (system-on-a-chip) both released or upcoming and noticed they are all either ARM7 or ARM8. nVidia clearly states it will be a “custom Tegra processor” which seems to be the TegraX2, nicknamed Parker. The funny thing about this is that the SoC seems to be targeted for… cars. In the technical terms we’ve been speaking, this means that we’re talking about an ARMv8 processor.
This confuses me a little, but it does seem to make sense. From what we know of the Switch currently, it looks like it will run games at 900p, down from the 1080p the Wii U was capable of. This corroborates the idea that the Switch will be powered by a purely mobile SoC, meaning Nintendo seems uninterested in competing directly with Sony and Microsoft. With an ARM SoC powering the Switch it may be very likely that Nintendo is just looking to simply learn of all their failures with the ARM9 and ARM11 of the 3DS and making sure it doesn’t happen again with the Switch.
If you are a 3DS user like me, it is very likely this Bounty Program will not affect you in the least. As Smealum said, they have the entire 3DS cracked and it will be very easy for them to find out what holes are plugged in future System Software updates, whether they are related to this or not. The focus of Nintendo with this program may be another entirely and while I couldn’t get a conclusive answer on that, I think I may have made a very educated guess. They seem to be planning ahead rather than looking back, but we will only know for sure when hackers take a look at the Switch.
If nothing else, it seems to have given someone a nice business plan for the next few years:
new business model: report all webkit vulns in bug database from 2011 to Nintendo and make $200 a pop
— smea (@smealum) 6 de dezembro de 2016
Have a nice week everyone!
I want to extend my thanks to Smealum for finding time to have a quick conversation with me last night over this topic. He was extremely approachable and shed light on a few things I had not considered while drafting my ideas for this article. Thanks man!see here.