Is the CIA (Or Someone Else) In Your Nintendo Switch?

Government spy or Yooka-Laylee enemy? You decide.

By now, you’ve probably seen or heard the news:

“…WikiLeaks published thousands of documents Tuesday it says detail CIA tools for hacking into web servers, computers, smartphones and even TVs that can be turned into covert microphones.” —John Bacon, USA Today, 3/7/17

To be honest, this is nothing we didn’t already know—if it runs code (and especially if it has a network connection), it’s probably hackable. Gaming consoles are not immune to this phenomenon, as demonstrated by the vibrant modding communities for games like Super Smash Brothers.

However, it’s one thing to add Dragon Ball Z characters to a video game, and another to co-opt the system to spy on your daily activities. With the Nintendo Switch now in the hands of the masses, how concerned should gamers be that their favorite new home/portable hybrid is giving unwanted third parties a look into their daily lives?

Let’s just say it’s good news/bad news time…

  • As a standalone system, the Switch is a pretty lousy spying tool. There’s no built-in microphone (according to the system’s tech specs), and no camera outside of the IR camera in the right Joy-Con. If someone really wants to listen in on your Mario Kart 8 Deluxe rage, it’s much more fruitful for them to hack your smartphone, laptop, or even your smart TVs rather than your Switch. This is good news.
  • As a high-powered portable system, however, the Switch offers some intriguing potential as a tracking device. While it does not have a GPS device built-in, its Wi-Fi capabilities may allow an adversary to calculate your position via triangulation, giving them the ability to follow your movements as you use the system. Furthermore, the Switch’s accelerometer, gyroscope and brightness sensor may even allow someone to infer your current behavior (for example, are you actively playing the system, or is it in sleep mode tucked away in your pocket?). This is bad news, although I would argue that if you’re already carrying a smartphone around, having the Switch with you doesn’t increase your risk all that much.
  • Compared to other types of technology, video game consoles don’t offer a great ROI for hackers (government or otherwise). Consider this: Nintendo has sold almost 700 million consoles ever, whereas global smartphone sales were estimated at 1.6 billion in 2016 alone. Garden-variety hackers tend to follow the money, and smaller install bases mean a less-lucrative payoff for their efforts, so there’s a smaller chance the Switch (or any other console) will be targeted. This is good news.
  • As a networked device living in your home, however, a Switch may be useful for pivoting, or launching attacks on other, higher-value targets in a network. If a hacker discovers a remotely-exploitable flaw in a console, it can then use that system as a base of operations for deeper exploration of the network the system lives on. (The medical community has been plagued by this problem for several years.) Even though the Switch isn’t a great spying device by itself, if it’s living on the same network as devices that are great spying devices, it still might be worth a hacker’s time to attack and compromise the Switch. This is bad news, and a major reason the cybersecurity community is so concerned about the “Internet of Things.”

So is some random three-letter agency lurking in the depths of your new Zelda machine? It’s highly unlikely, given that the Switch isn’t a great spying tool by itself and these agencies (if WikiLeaks is to be believed) have more than enough ways to reach your other devices without pivoting through the Switch. Run-of-the-mill cybercriminals, on the other hand, might be more interested in establishing a beachhead on your console, and the sad truth is that if Nintendo isn’t vigilant about patching and protecting its devices (and perhaps even if they are), anybody could conceivably take a shot at your Switch for any reason at all.

Of course, a perfectly-secure Switch is one that is powered-down, disconnected from the Internet, and locked in an iron box, which really makes it hard to play Zelda on the darn thing. In the end, your best hope for avoiding unwanted guests on your Switch is to practice good cybersecurity hygiene, ensure that other devices on your network are secured, and then cross your fingers as you turn on Breath of the Wild and hope what you’ve done is enough.