back

It's not safe on the streets... especially for your 3DS!

Exploring a new attack surface on the 3DS

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:46:28
Language
English
Abstract
The 3DS is reaching end of life but has not revealed all its weaknesses yet. This talk will go through the process of reverse engineering an undocumented communication protocol and show how assessing hard-to-reach features yields dangerous results, including remote code execution exploits!

<p>Embedded Devices are all around us, talking to each other in ways we often don't even realize. In this talk, we discuss how one such communication mechanism in the 3DS remained unexplored for over seven years as well as the vulnerabilities that were lying dormant as a result.</p>
<p>We will explore specific features of the 3DS and talk about their low-level implementation details and about why they were not tested before. Besides, we will walk through the (lengthy) dev process involved in putting together this exploit, and the significant risks involved in devices (even game consoles) having this kind of vulnerability.</p>
<p>Finally, we will demonstrate the attack in action.</p>
<p>Since the talk will be a bit technical some basic knowledge about network protocols and software exploitation techniques is recommended, but it is aimed to be enjoyable for non-technical audiences as well.<br>One might also take a look at previous talks (32c3 and 33c3) about the 3ds for more in-depth background knowledge.</p>

Talk ID
10796
Event:
36c3
Day
1
Room
Dijkstra
Start
2:10 p.m.
Duration
01:00:00
Track
Security
Type of
lecture
Speaker
nba::yoh
Talk Slug & media link
36c3-10796-it_s_not_safe_on_the_streets_especially_for_your_3ds

Talk & Speaker speed statistics

Very rough underestimation:
108.7 wpm
604.9 spm
109.3 wpm
604.6 spm
100.0% Checking done100.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
0.0% Nothing done yet0.0%
  

Work on this video on Amara!

Talk & Speaker speed statistics with word clouds

Whole talk:
108.7 wpm
604.9 spm
messagebufferdatastreetpasscodesystemexploitstackapplicationpointertemporaryexecutionnba::yohfilecontrolpacketsmodereturnmessagesprotocolsendapplicationscecdremoteccdvulnerabilitymicrophonepointerskernelbasicallyfree3dssizeaddressquestionbufferspointinterestingtalkstructurekeyboxunderstandoverwriteencryptionfirmwarerunningarm9thingsparser
nba::yoh:
109.3 wpm
604.6 spm
bufferdatamessagestacksystempointerstreetpasstemporarycodeexploitfileexecutioncontrolprotocolsendcecdpacketsapplicationmodereturnpointersremotekernelmessagesvulnerabilityfreepointinterestingstructuresizebuffersaddressbasicallyboxcheckoverwritefirmware3dsparserunderstandlistarrayarm11arm9talkfeatureapplicationsbitspecificpacket