Nintendo Offers Up To $20,000 To Hack the 3DS

Mickeycaskill writes: Nintendo will pay up to $20,000 for system and software vulnerabilities in the Nintendo 3DS family of handheld gaming consoles. The company is looking to prevent activities such as piracy, cheating and the circulation of inappropriate content to children. The stated goal is to "provide a secure environment for our customers so that they can enjoy our games and services. In order to achieve this goal, Nintendo is interested in receiving vulnerability information that researchers may discover regarding Nintendo's platforms." Silicon.co.uk reports: "Rewards will range from $100 to $20,000, with one given per 'qualifying piece of vulnerability information.' Hackers looking to claim a reward will have to provide Nintendo with either a proof-of-concept or a piece of functional exploit code in order to qualify."

Good luck with that, Nintendo.

$20,000 is peanuts compared to what a good exploit can bring in. The Xkey360 is a good example of a hack that brought in buckets of cash for the folks that made the kit.

Re:Good luck with that, Nintendo.

...and $20k is the upper limit. I'd be surprised if they released any $20k rewards, most are probably $1k or lower which isn't even worth the time submitting a notice to Nintendo. Spend more on your software developers or pay more for your bug bounties--otherwise, keep your chump change, Nintendo.

Remember, the GBC had an ACE exploit.

Thankfully they weren't wifi enabled or 1998 could've been an interesting year...

https://www.youtube.com/watch?v=aYQpl8Jj6Yg

Do they really have a piracy problem?

[sims+2]

I mean I haven't even seen a 3DS in months I just figured they were obsolete or something. You know like the WII and that thing you have to explain is not a handheld the WII U.

Re:Do they really have a piracy problem?

Pretty much the only reason the 3DS gets patched is to fix exploits. There's a small industry that creates 3DS cartridges that fit microSD cards that get loaded with ROM images of games so you can pirate 3DS games to your heart's content. The original DS also had this problem, and the flash carts for it were fairly sophisticated and allowed some interesting features like save states, frame slowdown, and a hex editor.
 
Source: I pirated a lot of DS games through the flashcart (there were many options) and even played NES Earthbound on it. The cart worked in my 3DS but I wasn't interested in pirating 3DS games because it required you to run old firmware. I looked into it and the flashcart devs do update their software to work with more recent firmware, but it's such a hassle for something I wasn't going to use very much.

Re:Do they really have a piracy problem?

There's a very active homebrew/modding scene for the 3DS currently, with a pretty good selection of homebrew apps that you can directly install into a modded console. Including apps that will literally download and install pirated content directly from Nintendo's own CDN servers. So yeah, you could say they have a bit of a piracy problem at this point.

Re: Do they really have a piracy problem?

If the only reason they update firmware is to patch exploits why do you care if you're running an old version?

Re: Do they really have a piracy problem?

If the only reason they update firmware is to patch exploits why do you care if you're running an old version?

Mostly because Nintendo forces you to if you are an active gamer and wish to play new games or have access to online content.

The 3DS automatically downloads and installs a lot of their firmware updates with very minimal user interaction. If your 3DS is not set up to automatically connect with the local wifi, sometimes new gaming cartridges will come bundled with a 3DS firmware upgrade you have to install before being allowed to play the game.

Several games with online content will not allow you to connect if your firmware version isn't the latest.

Re:Do they really have a piracy problem?

[Bing+Tsher+E]

Considering you can download an entire collection of every Nintendo DS game ever produced and run any of them off of flash in an R4 cartridge, they probably want to prevent that from coming to be for the 3DS.

There is nearly zero incentive, except for collecting purposes, to search out old DS cartridges to play. An R4 cartridge costs less than a vintage DS Pokemon cart and can hold the entire Pokemon DS collection.

Re: Do they really have a piracy problem?

You don't even a flashcart anymore, the 3ds is even more broken than the ds and wii. It takes a couple of hours but afterwards you can simply download any game directly from the eShop to the SD card. If you want to play older games you can use literally any ds flashcard, emulators, or virtual console.

Re:Do they really have a piracy problem?

The 3DS is already so much worse than that for piracy... You can pirate 3DS games directly on the system without even needing extra hardware or a computer at this point. It works just like the official eshop except for the whole paying for things part.

It's a trap!

[AlexanKulbashian]

Yeah.. Once you win the prize, they will sue you for the hack

It's funny though...

[bobbied]

THEY decide what hacks get the money and how much.... I'd like this kind of thing more if it was more of a community decision, where the company puts up some funds in escrow and then some independent evaluation or poll among the user community decides which hacks are worth the most. As it stands, even though Nintendo is asking for help from hackers, they hold all the cards AND the cash.

Nice PR ploy, but until they actually pay up for this "help" I'm choosing not to hack my way any closer to them than twice as far as I can throw a hacked device.

Re:It's funny though...

Wouldn't work -- the community would just keep voting 'Sploity McSploitface for hack of the week. Just assign a dollar value based on the vulnerability's CVSS score. Something like 2^cvss_score * base_value would work pretty well, especially if the base value were above $1,000. That way, minor flaws would only be worth thousands but a vulnerability that totally screws the pooch ends up being worth millions.

Pirates pay more ...

[thesjaakspoiler]

.. for your hacks than Nintendo does. $20000 is peanuts. Even the retired ladies cleaning the toilets at Nintendo get a bigger annual bonus for their hard work.

They're a little bit late

[HalAtWork]

SKY3DS can already play backups

Don't help them until they support homebrew

[MobyDisk]

Security holes in these types of devices are what enable the homebrew developer community. Until Nintendo provides support for homebrew development on the 3DS, no ethical hacker should be providing vulnerabilities to Nintendo. Now, if Nintendo put that $20,000 toward providing homebrew options, then ethical hackers will want to help Nintendo since it would help secure their platform.

Although, with the rise of smart phones, there is a much smaller homebrew community on the 3DS than there was on previous generations of their hardware.

Re:Don't help them until they support homebrew

[Bing+Tsher+E]

Unless you add a bluetooth controller, there is no comparison between smartphone games and actual handheld games like the 3DS. Kneading your fingers against flat glass will never be a replacement for a handheld with real buttons.

The fragmentation of the bluetooth controller market, along with the iOS/Android separation, keeps mobile gaming fragmented and weak.

Just mho, of course.

Re:Don't help them until they support homebrew

[tepples]

This July, Nintendo offered devkits to individuals for the first time. See https://developer.nintendo.com...

Re:Don't help them until they support homebrew

You still need Nintendo's blessing to publish.

Re:Don't help them until they support homebrew

[tepples]

Likewise, you need Apple's blessing to publish on Nintendo's competitor (the iPod and iPhone).

Re:Don't help them until they support homebrew

[MobyDisk]

yay! Thanks for posting that!

It will work, but not how you think

[k3vlar]

This tactic will likely work, even for the pitifully low amount of money Nintendo's offering, and here's why:

Real exploit developers will be less likely to release their kits. As soon as they do, nothing's stopping someone from decompiling or reverse-engineering their exploits, and then sending them in to Nintendo claiming ownership and collecting the pitiful reward.

For every true developer doing it for the challenge, there's two dozen desperate wannabes who will steal it to try and make a quick buck, and it's a lose-lose for everyone. This is why the Wii & Wii U modding and homebrew scene died, it's why the iOS jailbreaking scene died, and those are just recent examples.

.

Re:It will work, but not how you think

[Bing+Tsher+E]

People doing it for the challenge probably will continue to do it, then. I can sympathize with them. Many times defeating the copy protection on an 'entertainment' device or game is more fun for nerds than playing the actual game.

So it's not a lose-lose for the hacker having their fun finding and refining the exploits.

Re:It will work, but not how you think

Actually both the Wii and Wii U have fairly good hacking communities but that's because Nintendo no longer supports either of those platforms. It's also likely already to late for the 3DS. The 3DS has maybe 6-18 months left in its lifespan. The homebrew community has all the exploits* it needs to remain relevant for that amount of time. Once the 3DS is no longer supported by Nintendo the homebrew community will have free reign.

This is more likely a test so Nintendo can learn the ends and outs of these kinds of bounty systems before the switch is released. It also would surprise me if the switches OS is based on the 3DS's OS so they maybe trying to shore up security before release of the switch as well.

*There are guides detailing hardware based root key extraction that you could look up right now. Nintendo would basically have to rewrite their entire security to stop those and they're not going to do that for the 3DS at this point in its life.

Re:It will work, but not how you think

The reason modding scenes died on console and phone is because you can get much more powerful devices for a lot less money. It was more interesting when consoles and devices were more powerful than what you could get without spending lots of money. Now they're even weaker than a basic prebuilt PC.

Re:It will work, but not how you think

Shit, even if I were a true developer doing it for the challenge, I wouldn't turn down $20,000.

Re:It will work, but not how you think

[trawg]

For every true developer doing it for the challenge, there's two dozen desperate wannabes who will steal it to try and make a quick buck, and it's a lose-lose for everyone. This is why the Wii & Wii U modding and homebrew scene died, it's why the iOS jailbreaking scene died, and those are just recent examples.

Hmm, interesting perspective. I guess from the other side though, a lot of us nerds are constantly berating these companies for not being vigilant enough when it comes to security.

It's possible I guess that the security holes that allow us to jailbreak platforms to exploit other functionality could be considered "beneficial" but I suspect the reality is if those holes exist, it's just as likely they can be exploited by malicious actors.

If the net result is more secure software - that stops us jailbreaking - is that a better or worse outcome?

Re:It will work, but not how you think

[geekmux]

This tactic will likely work, even for the pitifully low amount of money Nintendo's offering, and here's why: Real exploit developers will be less likely to release their kits. As soon as they do, nothing's stopping someone from decompiling or reverse-engineering their exploits, and then sending them in to Nintendo claiming ownership and collecting the pitiful reward. For every true developer doing it for the challenge, there's two dozen desperate wannabes who will steal it to try and make a quick buck, and it's a lose-lose for everyone. This is why the Wii & Wii U modding and homebrew scene died, it's why the iOS jailbreaking scene died, and those are just recent examples. .

Then perhaps Nintendo should raise that fucking pathetic reward.

If the bug bounty reward were $2 million, chances are you would bypass all of this other nickel-and-dime bullshit.

And don't give me this shit that Nintendo can't afford it. They can't afford not to protect their products making millions, and bounty payouts are also written off as a business expense.

Good idea

[raymorris]

> As soon as they do, nothing's stopping someone from decompiling or reverse-engineering their exploits, and then sending them in to Nintendo claiming ownership and collecting the reward.

Thanks for the idea! ;)

Just Open up your Hardware

Don't bother with payouts. Just publish the details of your system, and let people do with it what they will.

Politically-Correct Hackers

[CanEHdian]

PCHs might. Not for the money, they'd come to the teacher anyway and tattle-tale all about their findings... then have these doe-eyed looks hoping for a "good job, boys" from teach. Because their hack might... (omnious pause, tension builds...) enable PIRACY!!! Ba-dam Tssss. In the old days people just openly released their stuff. Nowadays you got to take precautions and pretend you're a whistleblower, but you can still can get your stuff out in the open anonymously.

Re:Politically-Correct Hackers

Can't say I've heard of anyone like that... with the possible exception of the Denuvo traitors.

$20,000 ? Nice try add a zero to get serious

[ElectricPrism]

When a developer finds that kind of bug they have the upper hand, I would add a zero and make it $50,000 - $200,000 and if Nintendo wasn't willing to enter contract to exchange the security research for the money by say 20-30 days I would pull a Google and do a Day-Zero publish on the defect. Then I would rinse and repeat including a contractual boilerplate clause to protect and indemnify and collect my payment in bitcoin. 20K is insulting.

Re:$20,000 ? Nice try add a zero to get serious

[geekmux]

When a developer finds that kind of bug they have the upper hand, I would add a zero and make it $50,000 - $200,000 and if Nintendo wasn't willing to enter contract to exchange the security research for the money by say 20-30 days I would pull a Google and do a Day-Zero publish on the defect. Then I would rinse and repeat including a contractual boilerplate clause to protect and indemnify and collect my payment in bitcoin. 20K is insulting.

Given the amount of money Nintendo makes off these products, $200K is insulting.

Make it $2 million. THEN you'll find the right amount of attention and results.

DMCA?

So let's see... hack the console, get $20,000, go to prison. Yeah, that's worth it.

Re:DMCA?

[tepples]

Security testing, if performed for purposes other than to enable infringement, is not only explicitly exempt from the DMCA's circumvention ban (17 USC 1201(j)) but also likely explicitly permitted under the bug bounty program's terms.

Re:DMCA?

[Opportunist]

So 20k is more like the "20k to life" option?

Re:DMCA?

[K.+S.+Kyosuke]

It's a good thing to live in a place where the DMCA doesn't apply...

Re:DMCA?

[tepples]

Which country is that that lacks an implementation of the WIPO Copyright Treaty of 1996? And how many refugees from the U.S. copyright regime can your country and its like-minded neighbor(s) absorb?

Re:DMCA?

It's Sealand, and it can probably absorb exactly zero.

As a person who owns 2 hacked 3DS's

[Nyder]

Nintendo is really late on this boat, not even sure why they are doing this now.

The 3DS was hacked a few years ago, but required a 4.5 or less version firmware.
Then like 2 years ago, a entry point was found under the 9.2 firmware, while 9.2 was the current firmware, and it was a community found exploit, which led to custom firmwares that didn't need hardware cards (like the Gateway or Sky). Since then we've had excellent work on hacking the 3ds, found multi entry points, homebrew entry points and other stuff. Best thing is the Freeshop, which allows you to download games for free off the eshop.

So ya, Nintendo is really late on this bus, mainly seeing as the Switch comes out in March 2017 and honestly the 3DS will probably stop being supported next year.

Here's how you do it

[Opportunist]

1. Develop exploit.
2. Sell exploit kit to people who want to pirate soft but can't develop exploit.
3. Wait for about as long as it takes to reverse engineer your exploit.
4. Report exploit to Nintendo and collect the 20k. It's just pocket change, all right, but someone's going to report it anyway.
5. Start over at 1.

Can't hack what you can't get

[daveywest]

About two weeks out from Christmas and you can't find a 3DS in any retail store. I guess for research, I could pay 3x the retail price to a scalper on eBay.

Preparing for the NX release

[Not-a-Neg]

This sounds like they are going to use the same system for the NX that they use for the 3DS to release and deliver games physically and digitally.