The Nintendo Bug Bounty: What does it mean for 3DS users?
Last night, the website HackerOne – a website dedicated to “empower[ing] companies to protect consumer data, trust and loyalty” – posted a filing by Nintendo. In this filing, known as the Nintendo Bug Bounty program, they are offering to pay between $100 to $20,000 for any information they can get on vulnerabilities within the 3DS system software. The value of any information given is decided upon by Nintendo later so there’s no sure way of knowing how much specific bits of information are worth. Here’s what they are looking for:
Below are examples of types of activities that Nintendo is focused on preventing:
- Piracy, including:
- Game application dumping
- Copied game application execution
- Cheating, including:
- Game application modification
- Save data modification
- Dissemination of inappropriate content to children
Below are examples of vulnerabilities that Nintendo is interested in receiving information about:
- System vulnerabilities regarding the Nintendo 3DS™ family of systems
- Privilege escalation on ARM11 userland
- ARM11 kernel takeover
- ARM9 userland takeover
- ARM9 kernel takeover
- Vulnerabilities regarding Nintendo-published applications for the Nintendo 3DS™ family of systems
- ARM11 userland takeover
- Hardware vulnerabilities regarding the Nintendo 3DS™ family of systems
- Low-cost cloning
- Security key detection via information leaks
This reminded me of a saying that goes: “If you want something done right, do it yourself“. However, what if the system you’ve designed has more holes in it than a Swiss cheese? This is the current predicament in which Nintendo finds itself in. The 3DS has been cracked open beyond the point of no-return: pirates can get their games directly from the eShop, CFW on boot is a reality and virtual console injection (including GBA which Nintendo never intended for users to have) is possible. With the release of the nds_bootstrap, even the first steps towards DS injection have started with tools such as TWLoader. All of this got me wondering about the need for a Bug Bounty Program at all.
While trying to gather the reactions of the community on Twitter, I found this tweet by Smealum:
also regarding 3ds this bug bounty will likely help pirates more than harm: people will just wait for new versions and bindiff
— smea (@smealum) 6 de dezembro de 2016
As someone who has been around hacking for a while, I had a few thoughts myself but am no expert in the matter. This prompted me to contact Smealum and he found some time to answer my questions about this Bug Bounty.
Conversation with Smealum
My first question was about his tweet. The entire point of this Bug Bounty program, I assume, has to be correcting flaws that Nintendo engineers have overlooked. That being said, I asked him to expound a little on his tweet first, since I wanted to understand how this would help others more than Nintendo itself.
In the long term this does help Nintendo because fewer and fewer bugs means it becomes harder to exploit. In the short term though, it means anytime they push an update that includes a bugfix attackers can just bindiff to find out what was fixed. For example, if Nintendo released 12.0 with bounty fixes tomorrow, we’d just look at what changed between 11.2 and 12.0, and we’d be able to figure out which vulnerabilities were fixed. People actually do that on “real” targets like desktop PCs because they know updates take a while to propagate, so in the meantime people remain vulnerable to last month’s vulnerabilities. The concept here is the same, all people have to do is stay on 11.2.
This means that even with the Bounty program, it is very likely that nothing at all will change on the 3DS scene. This answer was a perfect lead-in to my second question which was related to the 3DS System Software itself: is there really anything left to crack? As I’ve stated earlier in this article, hackers have pretty much taken over every single bit of the 3DS’ hardware/software and not even hardware revisions could fix that. This is what Smealum had to say about that:
There’s really nothing left to do on 3DS other than maybe taking a hard and close look at how the back compatibility is implemented to see if there are any ways to exploit that. The main thing at this stage is keeping the latest version exploitable so that people can still run homebrew (or, for a lot of people, pirate) on the console they get for Christmas. The upcoming CCC talk will certainly help drive that point home.
Just like Yifan Lu did in an interview for Vice last month, Smealum doesn’t shy away from the reality that most people only want hacks so that they can get piracy on their systems. Whether people like me see value in game ports and original homebrew content is irrelevant. Most people want to get free games. However the topic at hand isn’t piracy, even if it is related.
This led me to my last question, which was about Nintendo itself. Are they desperate? Their constant patching of System Software on the 3DS has become so obnoxious to users it has reached meme levels. I usually make a lot jokes here on the website about Sony and their StabilityTM patches to the Vita (and PSP prior to that) but Nintendo is just as bad. Coming off as utterly incompetent isn’t probably in Nintendo’s plans for public perception so I had to ask about it.
I don’t think they’re desperate. I think they’re just finally entering the 21st century in terms of handling security and they should be given props for that; it’s a step in the right direction. I’ve expressed my lack of confidence regarding bug bounties on Twitter but on a system with relatively little churn like the 3DS it definitely makes sense. In my opinion this is more about the future than it is about the 3DS itself. I think it’s either that they’re doing this because they plan on reusing 3DS code in the future, or it’s a test run for future platforms.
In comes the Nintendo Switch!
I had considered something along the lines of what Smealum said. Maybe this is not about the 3DS, but rather about the Nintendo Switch. If you noticed, Nintendo specifically asks information on ARM9 and ARM11 hacks, both kernel and usermode. After doing some digging I found this little tidbit about the Switch on the nVidia website:
Nintendo Switch is powered by the performance of the custom Tegra processor. The high-efficiency scalable processor includes an NVIDIA GPU based on the same architecture as the world’s top-performing GeForce gaming graphics cards.
After looking around some more, I found more specific information on the Tegra familiy of SoCs (system-on-a-chip) both released or upcoming and noticed they are all either ARM7 or ARM8. nVidia clearly states it will be a “custom Tegra processor” which seems to be the TegraX2, nicknamed Parker. The funny thing about this is that the SoC seems to be targeted for… cars. In the technical terms we’ve been speaking, this means that we’re talking about an ARMv8 processor.
This confuses me a little, but it does seem to make sense. From what we know of the Switch currently, it looks like it will run games at 900p, down from the 1080p the Wii U was capable of. This corroborates the idea that the Switch will be powered by a purely mobile SoC, meaning Nintendo seems uninterested in competing directly with Sony and Microsoft. With an ARM SoC powering the Switch it may be very likely that Nintendo is just looking to simply learn of all their failures with the ARM9 and ARM11 of the 3DS and making sure it doesn’t happen again with the Switch.
Conclusion
If you are a 3DS user like me, it is very likely this Bounty Program will not affect you in the least. As Smealum said, they have the entire 3DS cracked and it will be very easy for them to find out what holes are plugged in future System Software updates, whether they are related to this or not. The focus of Nintendo with this program may be another entirely and while I couldn’t get a conclusive answer on that, I think I may have made a very educated guess. They seem to be planning ahead rather than looking back, but we will only know for sure when hackers take a look at the Switch.
If nothing else, it seems to have given someone a nice business plan for the next few years:
new business model: report all webkit vulns in bug database from 2011 to Nintendo and make $200 a pop
— smea (@smealum) 6 de dezembro de 2016
Have a nice week everyone!
I want to extend my thanks to Smealum for finding time to have a quick conversation with me last night over this topic. He was extremely approachable and shed light on a few things I had not considered while drafting my ideas for this article. Thanks man!
and yet those same people who said it doenst matter later come out and whine when someone reports an exploit they have been keeping secret for years, in the recent days take the PS4 exploit as an example.
The only people that whine about exploits being burnt are the little kids who wanted it to pirate games. Real devs don’t. They do this for fun. Much like the devs behind the last PS4 exploit. They can care less what happens with it. Its a hobby of theirs. As long as they make others happy they are happy themselves.
If that is truly your outlook on all the great devs that have contributed to the scenes over the years. Then you may want to reevaluate were you are getting all of your information.
Just a few examples that apparently were deemed important enough to make it into a wololo post.
http://wololo.net/2016/10/25/chaitin-tech-bugs-used-ps4-4-01-jailbreak-will-reported-sony/
http://wololo.net/2016/10/25/chaitin-tech-bugs-used-ps4-4-01-jailbreak-will-reported-sony/
Be that as it may
http://wololo.net/2016/11/17/ps4-firmware-4-06-released-hackers-confirm-patches-4-01-jailbreak/
*
So what?
they found that exploit. so they can do what ever they want to it. if you don’t like it,found them by yourself. it was easy logic right?
this bounty program is prolly more for the switch to help prevent piracy on that system make the switch the new vita in terms of security
Nice article, had a good read. Thanks!
This really means more for future Nintendo consoles and even competitors’ future consoles if it goes well for Nintendo. If a hacker finds a major kernel exploit on, say, the Switch, should he develop it into a CFW/HBL and release his work for free to a bunch of people who will probably be ungrateful and just demand more (as theFlow just experienced), or avoid the work and cash it in for a payday? What’s more, it will be impossible to share his work with even a small group of like-minded hackers to help work on a CFW solution without worrying about one of them cashing in his work as their own.
In fact, I predict that the Switch hacking scene will experience that exact thing: someone will find an exploit and begin work on a hack, and one of their trusted friends will sell said exploit to Nintendo behind their back.
Well im kinda intrested if hackers hav such a low dignitiy and sell it for 100 – 20.000 $, even the offer is kinda squishy “100 – 20.000” its meaningless if u look on how much they make with just a mario or Pokemon in a year.
I dont think they will even pay u twice like the new buisness model in the smealum example, when ur exploit changes nothing, if nintendo is really after a save console then why the heck a r they not recruiting the whole scene in their teams instead of that *** offer.
The only reason for this move could be the mind game RiotDX meant that no one will trust each other in the scenes now.
But i hope they will get the opposite and the nintendo hacking scene will become nintendos biggest nightmare, so that nintendo regret the idea of that they could buy our Robintendo Hoods for such a low price xD
And my last words goes to the piracy thing:
Come on guys get your heads out of the ***, that is nothing new and all of the scene are kinda using it for illegal course (just read the AGBs allmost everything is illegal in the company opinionses) and even that people say it hurt the company its funny that the big 3 are still in business even with piracy since their beginning and most pirates are anyway to lazy to get their hands on complicated exploits and waiting till they are easier but at that moment the console is after their zenits anyway like the psp -.-
btw.the so much defended PSvita got burned actually without really piracy and the ps3 verry exploited is one of the most sold consoles.
And for those people which are saying the hacking and exploiting is for fun then may i ask u if they would give a baby a loaded gun for fun?
They know the consquenses and i think they should stand to it cause in one way they helping many young and old people like with the region unlock for the 3DS or the customisation that even the portable devices gets the feeling of cool mods for pokemon and others .
Honestly this would be pretty bad for the hacking scene if hackers follow through with this, not from a piracy stand point but from a homebrew standpoint, and being able to emulate games on a system that wouldn’t have supported them to begin with, this wouldn’t stop piracy in the slightest, especially since a lot of the time especially with DS or cartridge based products, the hack is going to be in the cartridge itself, not in the system if someone wants to pirate stuff they will just buy that cartridge and pirate away. This will only really affect the homebrew scene, and who knows Nintendo might just cheap out on a lot of them. heck most flashcart makers wouldn’t follow with this because there is more of a financial incentive to make the exploit, and sell the carts themselves, and make a profit as a opposed to give the exploit to Nintendo who will then give them maybe 500 bucks, I sincerely doubt any hacker is going to be getting 20,000 dollars
http://www.martindonovan.org/?p=433