That explains all those updates we’ve been getting this year.
Some older Nintendo games have been found to have security holes that can be exploited by simply playing online.
The “ENLBufferPwn” exploit, rated as a 9.8 / 10 (Critical) on the Common Vulnerability Scoring System (CVSS) scale, has been found in older Nintendo games dating back to Mario Kart 7 and can allow for a full takeover of the system by a third party. Potential uses include accessing saved payment information and using the 3DS and Wii U GamePad’s built-in cameras and microphone to capture audio and video.
The vulnerability utilizes a “buffer overflow” attack as the affected games did not specify a limit to the amount of data that is sent in a game session; this is nominally some player data (such as a player’s Mii in Mario Kart 7) but the lack of a limit could allow for a full takeover of the system – even without visible detection from the victim.
The vulnerability report shows the following games affected but warns that other first party titles could be involved:
- 3DS: Mario Kart 7
- Wii U: Splatoon, Mario Kart 8
- Switch: Mario Kart 8 Deluxe, ARMS, Splatoon 2 / 3, Super Mario Maker 2, Animal Crossing: New Horizons, Nintendo Switch Sports
Mario Kart 7 recently received its first patch in over a decade to patch the issue, and the Switch titles have either been patched out-of-cycle or had the fix included in other feature updates. However, the Wii U games have not been patched as of press time, and it is not known if they will. The patch system of the 3DS, which requires downloading them from the eShop, also means that other vulnerable titles may not be fixed prior to the closure of the 3DS and Wii U eShops in February.
Nintendo was notified of the vulnerability by the discovering parties prior to the disclosure through a bug bounty program, which allowed for the existing patches to be programmed.