3DS MITM Attack?

Discussion in '3DS - Flashcards & Custom Firmwares' started by cats, Oct 16, 2013.

  1. cats
    OP

    cats Member

    Newcomer
    10
    14
    Oct 16, 2013
    First post! :)


    Started thinking about some stuff when I got Pokemon Y the other day.
    Been experimenting at home but I'm having some trouble and thought maybe someone here could help me with some advice on this.

    I'm currently not that interested in modifying the firmware and such on my device, so I'm trying other approaches (mostly for fun) to see what I can do.

    Pokemon has a "mystery gift" function, that connects to a Nintendo server and checks if the device in question has gotten the current mystery gift that is available. If not then I get the gift and if I already have it then it will tell me so.

    So what I'm currently doing is that I'm redirecting my 3DS through a proxy on my network, so that I can sniff that data and see more exactly what the 3DS and the Nintendo server is talking about.

    As some might have figured by now, I want to write my own mystery gift server and redirect all the requests going to that specific domain. The problem is that he SSL certificate on the server might be valid which will make it a more difficult. Although when visiting the site that the 3DS connects to, it tells me it's invalid, but that doesn't mean the 3DS thinks that (it probably has the cert added as approved).

    What I know so far is, that when I choose to check for a new mystery gift in Pokemon Y, it does the following:

    1: It connects to *.nintendowifi.net via HTTP port 80
    2: The server responds with a HTML page saying "This is test.html page".
    I'm guessing the server simply checks for a HTTP Status code 200, but I wont bother testing that.

    3: The 3DS now connects to *.nintendowifi.net.
    But this is actually where I hit the wall, since it connects with SSL.

    I'm going to try with the MITM approach one more time tonight, as I haven't written down everything I've tried yet, so I want to confirm and document everything.
    Although, when I tried this the last time, the connection kept dropping, so that might be because of the certificate not getting accepted by the 3DS, but I'm not 100% sure about that yet ;)

    Does anyone have any ideas about this?
    Or maybe someone with a modified device feels like trying, since you can probably get your hands on the cert on the device, or maybe even send it to me? :)

    Any kind of help and advice would be appreciated!

    Thanks in advance :)
     
    TheDreamLord and dot7z like this.


  2. IronClouds

    IronClouds GBAtemp's Pok├ębro

    Member
    1,019
    460
    May 8, 2010
    United States
    I don't know shit about this, but I'm keeping an eye on this thread for any replies from people who do.
     
  3. twill

    twill Newbie

    Newcomer
    6
    1
    Oct 17, 2013
    Albania
    Unless they're doing something crazy, you can MITM the SSL connection. SSLstrip is an easy tool for this. They seems to have done a decent job with security this time around, and I would imagine the wondercards are either signed or encrypted, and more likely, both. On the other hand, you'd be astounded with what developers will rely on TLS for, so it's worth a shot. Let me know if you end up trying.

    Edit: On second thought, it's been a while since I used SSLstrip, and this might not work at all. Oh well.
     
  4. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    I don't know much about network protocols, but I'm definately interested in seeing where this goes. Could we see a Mystery Gift hack in the near future if we figure this out (similar to how the GTS was hacked on DPPt and HgSs)? This is just speculation but this could definately lead somewhere, and if not getting any real results at least give us a bit of insight on X and Y's mystery gift as well as inspire others to look into this.
     
    SuzieJoeBob likes this.
  5. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    22,067
    10,382
    Apr 29, 2011
    United States
    Dr. Wahwee's castle
    It'd be hilariously ironic if this lead to a CFW hack :P
     
    Boy12 likes this.
  6. shinyquagsire23

    shinyquagsire23 SALT/Sm4sh Leak Guy

    Member
    1,964
    3,238
    Nov 18, 2012
    United States
    Las Vegas
    It would also suck considering that Nintendo can patch over bugs in X and Y.
     
  7. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    22,067
    10,382
    Apr 29, 2011
    United States
    Dr. Wahwee's castle

    True. It's a damned if you do damned if you don't situation. Still, the more people that mess with the 3DS and mess around with hacking, the better :D
     
  8. Psionic Roshambo

    Psionic Roshambo GBAtemp Advanced Maniac

    Member
    1,850
    698
    Aug 12, 2011
    United States

    When someone hacked Sony's PSN servers I am surprised that no one pushed out a CFW for every PS3... Now that would have been epic lol
     
  9. the_randomizer

    the_randomizer The Temp's official fox whisperer

    Member
    22,067
    10,382
    Apr 29, 2011
    United States
    Dr. Wahwee's castle
    I'm just going to keep my comments to myself B-)
     
  10. McHaggis

    McHaggis Fackin' Troller

    Member
    1,718
    939
    Oct 24, 2008
    I'm pretty sure you'd be wasting your time. Non-test connections are encrypted, as you discovered, and the 3DS's HTTP would have been implemented to fail if the SSL certificate used to encrypt the data is spoofed. The eShop, the update server, the spotpass server, will all be using the 3DS's native implementation, so this is exactly the kind of thing they would have tested and verified to ensure security. Otherwise there would have been a huge uproar by now about how people could spoof a 3DS and access the eShop, or access someone else's eShop account, etc.

    Now, if you could put your own generated certificate into the 3DS's store using code written to take advantage of the recent hack, then you'd be able to investigate a little more and a MITM attack would be possible.
     
    pelago likes this.
  11. cats
    OP

    cats Member

    Newcomer
    10
    14
    Oct 16, 2013
    Nice that this seems to interest some people :)

    I have done a lot of reading and experimenting now, and I have discovered a lot of interesting things.
    Some things I wont disclose just yet, since it might be sensitive information if I'm right about this.

    What I can say for now, is that I wrote a small example to "simulate" more about that McHaggis is talking about.
    Below is a very simple Java program that connects using a standard safe SSL socket library.

    Code:
    package SSL;
     
    import javax.net.ssl.SSLSocket;
    import javax.net.ssl.SSLSocketFactory;
    import java.io.*;
     
    public class test {
        public static void main(String[] arstring) {
            try {
                //Connect with SSL
                SSLSocketFactory sslsocketfactory = (SSLSocketFactory) SSLSocketFactory.getDefault();
                SSLSocket sslsocket = (SSLSocket) sslsocketfactory.createSocket("www.nintendo.com", 443);
               
                DataOutputStream outToServerSSL = new DataOutputStream(sslsocket.getOutputStream());
                BufferedReader inFromServerSSL = new BufferedReader(new InputStreamReader(sslsocket.getInputStream()));
     
                outToServerSSL.writeBytes("GET / HTTP/1.1\nHost: www.nintendo.com\n\n");
                System.out.println("SSL - " + inFromServerSSL.readLine());
               
                sslsocket.close();
               
            } catch (Exception exception) {
                exception.printStackTrace();
            }
        }
    }
    

    Now, when the 3DS connects to the server via HTTPS, it would get accepted, just like this program will with any server that has a CA that it trusts, like Facebook or Google, thus the expected result below.

    But in the case of me trying the MITM attack, or simply changing the DNS reply of the domain that the 3DS is looking up, I would have to use a self signed certificate that doesn't match with the trusted certs that the 3DS knows.
    Although, the browser on the 3DS has no issues visiting normal pages via HTTPS, this tells me that it MIGHT accept a certificate in the game that I have gotten signed legitimately, but is not from Nintendo, although this is unlikely, but worth testing (I'm viewing this from all angles possible, so this is definitely an option that needs to be tried).

    Anyway, so this is what happen when the program above is routed through mitmproxy or sslstrip

    For those that do not understand the output here, let me just clarify that this doesn't mean that this can't be done.
    It just means that their security doesn't suck completely :)

    So, the things that are to be tried now are:

    1: Installing some CFW and Homebrew that can grab the list of trusted certs and such from the device
    2: Try with a legit signed cert (I have one that I will try to use), and redirect the traffic there to see if the 3DS accepts it
    3: With CFW/Homebrew installed, add another trusted CA that can be used, if it doesn't already exist (StartTLS?)

    The list goes on beyond this, but I will post some more later, since I'm not sure about all the stuff I have found so far, so I need to experiment some more on this.
     
    TheDreamLord and dot7z like this.
  12. twill

    twill Newbie

    Newcomer
    6
    1
    Oct 17, 2013
    Albania
    Yeah, I keep forgetting this is a DS and not a network I have control over ><

    By chance, did you happen to notice what SSL version is being used and what cipher? You also might try seeing if you can force a null cipher or at least one that can be broken, or at the very least see if you can enumerate accepted ciphers.

    I feel forging a cert without having access to the CA list will be a bust, but worth a shot if you plan on trying anyway. Another interesting bit of information to check out would be if the server authenticates the client or not.

    IMO, an attack on the cipher seems the easiest next step. I'm just starting to get into ds hacking, so not quite up to speed with everything.
     
  13. cats
    OP

    cats Member

    Newcomer
    10
    14
    Oct 16, 2013
    Yeah that's part of the info that I would rather not discuss here since they seem to be running really old stuff.
    But yes, they are using very old and weak ciphers.

    I have been looking into attacking the cipher, but finding the correct information has been hard since people tend to focus on the newer ciphers and versions of SSL when discussing this.
    If you have any info on that though, then we can talk privately and fix that part, and then share the results of the work here later on.
     
    TheDreamLord and dot7z like this.
  14. gabest

    gabest Newbie

    Newcomer
    6
    0
    Sep 19, 2013
    Hungary
    Tried with fiddler (http://fiddler2.com/), it can use its own certificate for proxying https, but the 3ds won't accept it when I enter the eShop, just gives me an error message.
     
  15. cats
    OP

    cats Member

    Newcomer
    10
    14
    Oct 16, 2013
    Well fiddler doesn't exist for Linux, so I use sslstrip and mitmproxy, which works the same.
    But yeah, same problem there since it uses self signed certs.
     
  16. gabest

    gabest Newbie

    Newcomer
    6
    0
    Sep 19, 2013
    Hungary
    I wonder what the 3ds checks in the certificate, or just clients in general, what is the common practice. If I'm correct, everything except the public key is spoof-able, since it has a private pair which we can't guess. All the to-be-verified information about the certification, including the public key, must be stored in the firmware somewhere. It may be worth generating self signed certs with the same information, except the public key, fiddler can do that by programming a simple plugin. I already got nintendo's cert with wireshark, it was not issued by any major provider, just your average self signed one.

    edit: If nintendo ever wanted to replace or renew (current valid until 2038) the certificate, they could not do that very easily. The current firmware would reject communication and would not update itself unless it has been updated with the new cert first, they need to accept both for one fw version at the same time for a brief period of time to avoid the catch22 situation. Or they just check like the issuer's name, that does not change between certificates.
     
  17. twill

    twill Newbie

    Newcomer
    6
    1
    Oct 17, 2013
    Albania
    They could likely update the cert rather easily, since, if it is the case it's self-signed, they'd have their own CA listed as a trusted CA. The only reason to update the cert, however, is if they suffered a major breach to their network. That cert will never be cracked without major advances in current technology.
     
    shutterbug2000 likes this.
  18. cats
    OP

    cats Member

    Newcomer
    10
    14
    Oct 16, 2013
    Well it might be worth fiddling around with the cert, trying to make our own self signed with the same specs as their own (obviously not signed by them then).
    Another thing to try like mentioned before, is to try other certs that are not signed by Nintendo, but still accepted by the 3DS.

    I'm currently setting some stuff up here at home, so will try these things shortly.


    EDIT:
    I did a quick check, and the browser in the 3DS doesn't accept any StartCom SSL certs at least.
    So the game might not either.
     
  19. pelago

    pelago Member

    Member
    997
    51
    Feb 20, 2006
    I admire your enthusiasm, but I very much doubt you will get anywhere with this.
     
  20. cats
    OP

    cats Member

    Newcomer
    10
    14
    Oct 16, 2013
    Well, if we all think like that we will never get anywhere :D
    But yeah, it does look like a hard task, but it's all for fun, so even if I don't get anywhere with this, I did have a good time trying ;)