Hackers have already gotten under the Nintendo Switch hood

The Nintendo Switch may not have a web browser, but that hasn’t stopped hackers breaching its defenses recently.

It’s been a week since the console launched to the public, and well-known iOS hacker qwertyoruiop is already claiming he’s found a way into the console thanks to the similarities it shares with Apple devices. 

Though the Switch doesn’t have (or really need) a browser, it does have to be able to sign into public Wi-Fi portals. To do this it uses Apple’s WebKit engine, which is also used in Safari on Mac and iOS. 

What do Nintendo and Apple have in common?

And therein lies the way in. This wouldn’t be that much of a problem if the Switch wasn’t using an older, iOS 9.3 version of WebKit for which there are known vulnerabilities for hackers to take advantage of.

This WebKit version in particular has a vulnerability which previously left iPhones open to the Pegasus malware. Though Apple patched the weakness with the iOS 9.3.5 update, Nintendo has opted for whatever reason to use the older version. 

To break into the Switch, qwertyoruiop simply had to modify his old exploit by ridding it of the iOS-specific code and adapting it to the Switch. For anyone looking for more details on how the exploit works, OverFlow has a video explaining in detail:

Though it's a first tentative step, the fact that it can be done, and that there’s a route into the system from where access can possibly escalate, should prove worrying for Nintendo.

It's very much a case of "there's no door and a window hasn't been opened, but we've found a mouse hole to burrow into". Unless, of course, Nintendo patches the vulnerability quickly itself.