Console hacker reports flaw that opened the door to MitM attacks
The discovery of a critical digital certificate handling vulnerability by technology bundled with the Nintendo 3DS handheld gaming console has earned a researcher a $12,168 bug bounty.
The certificate validation flaw in the recently discontinued Nintendo 3DS created a mechanism to run manipulator-in-the-middle (MitM) attacks against gamers before it was resolved.
The flaw – discovered by a security researcher with the handle ‘MrNbaYoh’ and reported through HackerOne – meant that the SSL system module failed to validate digital certificates when attempting to establish a secure connection.
More precisely, the “SSL system module does not check the signatures when validating a certificate chain, allowing anyone to forge fake certificates and perform MitM attacks or spoof trusted servers”, according to the now-public vulnerability disclosure report on HackerOne.
The SSL system module in the Nintendo 3DS uses the RSA BSAFE MES library to implement SSL/TLS communication.
This module is highly customizable, and mistakes made in console-maker’s implementation, rather than inherent flaws in the technology, are the root cause of the problem.
The vulnerability created a means of spoofing Nintendo’s eShop servers or connections to some game servers before it was resolved, among other exploits.
The issue – dubbed ‘SSLoth’ by the researcher who discovered it – existed in Nintendo 3DS firmware versions 11.13 and below.
“The latest firmware update (11.14) patches SSLoth,” MrNbaYoh told The Daily Swig. “The other flaws were based on SSLoth, so by updating their 3DS, gamers should be safe.
“If they’re not willing to update, I’d recommend not using any untrusted [domain name server] DNS or proxy server, but doing so does not mean they're safe,” they added.
The 3DS was launched in 2011 and discontinued earlier this year as Nintendo throws its marketing efforts behind the device’s successor, the Switch.
It’s interesting to note, then, that a security flaw in a decade-old device can still attract a five-figure bug bounty from the Japanese gaming giant.
MrNbaYoh said he got into security bug bounties after developing an interest in hacking gaming consoles.
“It’s more my bug bounty activity that fits in my console hacking activity than the other way around,” he said. “I’m not really a bug bounty hunter.”
The researcher added: “I’ve been working on the 3DS since 2016 and it turned out at some point that Nintendo launched their bug bounty program.”
Thus far, the ethical hacker’s bug bounty activities have been restricted to Nintendo devices, but he said he was open to expanding his interests and looking at Sony’s PlayStation console.
“I still have things to do on 3DS, though, I might look into PS devices in the future,” MrNbaYoh told The Daily Swig.
Nintendo is yet to respond to a request for comment.