It's been hard to find a vulnerability on the Nintendo Switch, as on any new console with a unique architecture. Until now, that is.
It was just a matter of time, really. A newly published "exploit chain" for Nvidia Tegra X1 systems, on which the Switch runs on, seems to illustrate a method for running arbitrary code on Switch consoles, and it's apparently unpatchable.
Hacker Katherine Temkin along with a hacking team at ReSwitched just released a detailed document of a so-called Fusée Gelée coldboot vulnerability, on top of a proof-of-concept payload that shows the hack is working on the Switch.
"Fusée Gelée isn't a perfect, 'holy grail' exploit-though in some cases it can be pretty damned close," states Temkin in a FAQ.
Fusée Gelée Nintendo Switch Exploit
As described, the exploit takes advantage of a vulnerability within the Tegra X1's USB recovery mode. It successfully circumvents lock-out operation that would typically insulate the chip's bootROM. The hack works by sending an improperly coded USB control procedure at the right point, and through this the system can be forced to "request up to 65,535 bytes per control request." the data overflows a direct memory access buffer in the bootROM, which in turn enables the hacker to run code.
As mentioned, the exploit isn't the kind Nintendo can simply erase with a patch because it's baked into the read-only memory of the chip. That means it leaves millions of Switch units around the world permanently vulnerable. The only way to offset the situation is if Nintendo decides to tweak the code from the ground up and restart the manufacturing line.
Exploiting consoles is performed for a variety of reasons, chief of them being piracy. Console makers such as Nintendo work tirelessly to prevent this kind of situation from happening since piracy takes a toll on sales, which in turn affects motivation for game development, especially if gamers can just simply download titles off the internet for free. This, of course, is the worst-case scenario, and it fortunately hasn't happened yet, but the exploit paves a road that can lead to piracy.
What Nintendo Can Do
Nintendo isn't totally powerless here, however. Suppose the exploit does later yield full-blown piracy measures, the company can make it so that modified Switch consoles aren't able to access online features, or ban accounts tied to them. It may also choose to "brick" affected consoles remotely, a way of rendering a system defunct suppose it violates the company's policies. This was common practice during the Wii era, and it still occurs now.
Nintendo has yet to comment on Fusée Gelée.