Nintendo has patched a critical vulnerability in some of their older titles over the past few months. This is reported by the online portal Nintendo World Report. Apparently, simply playing online is enough to become a victim of the security gap.
The so-called “ENLBufferPwn” exploit, rated 9.8/10 (Critical) on the Common Vulnerability Scoring System (CVSS) scale, allows it in older Nintendo games such as Mario Kart 7to completely take over the console by an attacker. In doing so, existing payment information such as credit card data can be read out on the system, or the attacker uses the camera and microphone of the 3DS and WiiU to record video and audio data. Affected games apparently do not contain a limit for transferred data. This transfer function is actually only intended for small amounts of data, such as your own Mii, but due to the lack of a limit, as much data as the attacker wants can be transferred after a takeover, without the user noticing it himself. Twitter user PabloMK7 published a Video of the 3DS on the right being taken over by the 3DS on the left.
In the security warning published on Github.com the following games are listed:
- 3DS: Mario Kart 7
- Wii-U: Splatoon, Mario Kart 8
- SWITCH: Mario Kart 8 Deluxe, ARMS, Splatoon 2 / 3, Super Mario Maker 2, Animal Crossing-New Horizons, Nintendo Switch Sports
Mario Kart 7 has since been patched to version 1.2 (its first update in over a decade), and the Switch has patched affected games either as part of other updates or specifically to patch the leak. On the other hand, nothing seems to have happened on the WiiU. Since patches have to be downloaded specifically from the eShop on the 3DS, it could well be that any remaining security gaps in other games can no longer be patched due to the shutdown of the eShop at the end of March. At least for Mario Kart 7, there is therefore an acute need for action.