Hello, welcome to the Thursday, March 9th, 2017 edition of the Sansonet Storm Center's Stormcast.

My name is Johannes Ulrich, and I am recording from Jacksonville, Florida.

A few days ago, Nintendo came out with its new Switch console, and well, of course, there is now a pretty intense search for possible

vulnerabilities in this new toy. Probably it's almost more surprising that there is no exploit

out yet after a couple of days of searching but on the other hand there are already a couple of days of searching, but on the other hand, there are already a couple of smaller

hints that may lead to exploitation in the future. One thing that sort of limits the attack

surface of this console is that it doesn't come with a web browser. Well, at least it's not

advertised. There is actually a

hidden web browser installed on the console, and that web browser is launched whenever the user

connects to a Wi-Fi network that requires the user to log in. Many Wi-Fi networks, of course,

have these pages that you have to acknowledge

or you have to enter some credentials in order to connect. And for this purpose, they did install

this browser. And of course, at that point, it's possible to exploit various browser vulnerabilities.

The browser appears to be WebKit-based.

WebKit has had vulnerabilities in the past, and there are probably more to go.

Also, the stage fright library is installed on the console, so in conjunction with the browser,

there may be a way to exploit it.

Well, on the other hand, even if there is a vulnerability, it will be difficult to exploit.

The console does use the arm trust zone.

So that's supposed to secure applications by running them in a sandbox.

We'll see what's going to happen.

Nintendo has put out a $20,000 buck bounty

...