Arbitrary code execution, I choose you! - A brief history of interesting* home console security fails. Sarah Young - BSides Ottawa
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Arbitrary code execution,
I choose you!
A brief history of interesting* home console
security fails.
* I think so, anyway. Sarah Young
@_sarahyo
Justin
whoami
• Sarah Young, Security Architect @ Versent.
• Based in Melbourne.
• I’ve worked in Europe, New Zealand and
Australia.
• I help customers move their stuff into the
cloud securely.
• Worked in tech for the past decade or so.
• I overuse memes and GIFs.
• Wannabe crazy bird lady and alpaca
enthusiast.
4 @_sarahyo
I am not a Christian author 5 @_sarahyo
What am I talking about today?
• Absolutely-awful-#fail-vulns and other security things that
have happened over the years in home consoles.
• The Tegra X1 arbitrary code execution vuln in the Nintendo
Switch.
• The PS4 malicious character glitch.
• Atari vs. Nintendo’s anti-piracy chip.
• The Dreamcast’s big piracy issue.
• Pokémon #000, Missingno.
6 @_sarahyo
Nintendo Switch Tegra X1 vuln
@_sarahyo
• Publicly disclosed as CVE-2018-6242 in June 2018.
• Discovered by Kate Temkin (@ktemkin) and fail0verflow
(@fail0verflow) member shuffle2 at the same time.
• Exploit affects Nvidia Tegra X1 chips prior to the T186 / X2.
8 @_sarahyo
9 @_sarahyo
How does the exploit work? 10 @_sarahyo
How does the exploit work?
• Tegra processors enter USB RCM boot mode when the
processor straps are pulled to a particular value.
• The bootloader’s implementation of RCM allows a small
piece of code (applet) to be read and loaded into RAM.
• RCM requires these applets to be signed with RSA or AES-
CMAC.
11 @_sarahyoHow does the exploit work?
RCM command + payload
Global buffer + target load
address
Signature check
12 @_sarahyoCredit: Kate Temkin 13 @_sarahyo
Uses of the Switch vuln 14 @_sarahyo
Disclaimer:
If you try this at home you may
brick your Switch.
Try this at your own risk!
@_sarahyoLet’s watch me doing this on my Switch 16 @_sarahyo
But a few weeks ago…
https://www.wsj.com/articles/nintendo-plans-new-version-of-switch-next-year-1538629322
17 @_sarahyoPS4 malicious character glitch
@_sarahyoCredit: u/Huntstark, Reddit 19 @_sarahyo
Let’s go back in time… 20 @_sarahyo
Atari Tengen vs. Nintendo
@_sarahyo• The Nintendo Entertainment System was
released in 1983 in Japan, 1985 in North
America and 1986 in the EU and Aussie.
• Nintendo kept strict controls on which
games were published.
• Games had to be approved by Nintendo
prior to release.
• Publishers also had to buy Nintendo’s
cartridges which had an anti-piracy chip in
them.
22 @_sarahyoThe NES anti-piracy chip 23 @_sarahyo
• Atari had fallen out with Nintendo in the late 80s over the rights to
Tetris.
• Atari (via it’s subsidiary Tengen) decided to try and reverse engineer
the 10NES chip so they didn’t have to go through Nintendo’s review
process and they could make their own cartridges.
• The 10NES proved difficult to reverse-engineer.
24 @_sarahyoTHE US PATENT OFFICE
ACTUALLY HANDED OVER
THE 10NES BLUEPRINTS TO
TENGEN.
@_sarahyoWe all know what happens next 26 @_sarahyo
Dreamcast pirates
@_sarahyo• We all know that the Sega Dreamcast didn’t
do so well.
• Sega used a proprietary media format
called Mil-CD on GD-ROMs.
• The Dreamcast had only been released in
November 1998 in Japan and September
1999 in North America.
• The Dreamcast’s copy protection was
broken in June 2000.
28 @_sarahyo1. An exploit found in Phantasy Star Online: it allowed you to stream
the entire game’s code through an Ethernet cable.
2. Closer to traditional disc-swapping and tricking a PC into reading the
GD track.
@_sarahyoOne final mystery… 30 @_sarahyo
The Christmas PSN and Xbox
Live attacks
@_sarahyoDDoS attacks on the PSN and Xbox Live networks 32 @_sarahyo
Pokémon #000
aka. Missingno.
@_sarahyoMost of us will remember this thing 34 @_sarahyo
How did you make Missingno. appear? 35 @_sarahyo
Why did Missingno. appear? 36 @_sarahyo
Why did Missingno. appear? 37 @_sarahyo
Are there any takeaways from
this?
@_sarahyoHardware vulns are particularly
tricky/impossible to fix once they’re out in the
wild.
@_sarahyoMalicious parties will go to great lengths to
achieve their goals – don’t underestimate
them.
@_sarahyoIf you’re going to brag about how
unbreakable/unbeatable/etc. your tech is,
you’re effectively challenging people to break
it.
@_sarahyoSecurity via obscurity is not a real control.
@_sarahyoSloppy code and programming always, always
causes problems.
@_sarahyoFurther reading and watching
• Kate Temkin’s in-depth explanation of the vuln - https://github.com/Cease-and-
DeSwitch/fusee-launcher/blob/master/report/fusee_gelee.md
• shuffle2’s repo for the Switch Linux launcher -
https://github.com/fail0verflow/shofel2
• Reddit thread on PS4 malicious character glitch -
https://www.reddit.com/r/PS4/comments/9nselm/warning_set_your_messages_t
o_private/
• Tengen: Atari Games vs. Nintendo, the Gaming Historian -
https://www.youtube.com/watch?v=fLA_d9q6ySs
• Technical write up of pirating the Dreamcast’s Mil-CD -
http://wololo.net/2012/11/12/sega-dreamcast-how-its-security-works-and-how-it-
was-hacked/
• Dreamcast pirates made the console legendary -
https://medium.com/@michaelgapper/land-of-the-free-467f0eb2f395
• An in-depth write up of the Pokémon Red/Blue Missingno. glitch -
https://www.smogon.com/smog/issue27/glitch
44 @_sarahyoThank you! Merci! @_sarahyo
You can also read
