Hardware [FALSE] Foxconn accidentally leaks Wii-U private keys...

[Frank Cadena]

What I'm interested in is whether Nintendo is going to sue Foxconn for the leaking of the design related docs. If this were to happen to Apple design schematics, which values it's secrecy highly, Foxconn would be sued like you wouldn't believe.

 

[snikerz]

 

[Dimensional]

Clearly a lot of people here don't understand any cryptography.

Obviously the article is fake, but Foxconn most likely don't have the private keys anyway since they have no need for them. The file packages they'd be flashing would already be signed. Private keys never leave the business that created them, otherwise they can't be considered private. Finally, consoles only contain public keys and nothing more. Public keys are of course useless for hackers because they're only used to verify that signed packages are legitimate.

The consoles would have the public keys coded into the systems, not the private, but the private key is required to sign the programs that will be installed onto the system. Assymetric encryption and signatures: When you sign a program, what happens is the system creates a checksum of the program or a file, something that is used to verify the file isn't corrupted. Then the private key is use to encrypt the checksum, so that when you verify the signature, the public key decrypts the checksum and compares that with the file again. Signatures ensure 2 things. That the file isn't corrupted and thereby won't screw up the system, and verifies that it came from official sources and hasn't been altered in any way that could cause problems, like for PCs, installing a virus unknowingly.

Foxxconn could have the private keys, since private and public keys go in pairs and you sometimes have to give them both to ensure that development of the units goes smoothly, but only the public keys would be written into the system. Private keys, as said, would remain private, but mistakes like this can release them to the public and basically destroy the security of this system. Best example is the PS3. It's root private keys were discovered mathematically. Foxxconn could have had the private keys documented and accidentally leaked it.

So if the private keys were found, all one would need to do now is find the common key, aka the public key, and they would have full access to the system. And changing the private key would invalidate the public keys and so would invalidate all signatures for everything made for that console. Only good thing about this for Nintendo is that it was discovered early before the console was scheduled to be released. If it had happened after it was release and already had a large library of games and content, they would have to resell every game, updated for the new common key, because the games already in the hands of consumers would suddenly not work. It would be almost as bad as Nintendo releasing a system update that bricks systems that weren't modded or anything.

They could have the private keys, and that was one of the few ways people could get ahold of it. Don't count this as a lie just yet. It's still possible.

 

[PolloDiablo]

I'm laughing reading the neogaf thread. People are calling Deadly the "LMFAO-guy from GBAtemp", and saying that we're all "particular people"

 

[smf]

Nope, OTP can ONLY be flashed one way. Every single byte by default is 0 in OTP. When it is being written, some bytes are changed to 1. It is impossible to change a byte back to 0 once it has been changed to 1. Bytes that are still 0 can be changed to 1, this can theoretically even be done by the system (if someone wanted to really mess up a Wii, they could change a few 0s in OTP to 1s).

You mention flashing NANDs - that has nothing to do with this. If keys are being stored in OTP, as they were on Wii, they cannot be reflashed (well, they can be increased in value by changing some 0s to 1s, but not properly rewritten to any new randomly generated key).

In the Wii the OTP stores a hash of boot1, the keys however are stored elsewhere.

The Wii-U may be entirely different and we don't know what keys have actually been leaked.

 

[KazoWAR]

I wonder if this was really an accident?

Anyways, nothing like a mandatory day 1 update can't fix. All they have to do is white list like 10 games or so.

 

[AlanJohn]

I'd totally buy the WiiU if it were to be hacked on day one.
Even for 1000$.

 

[DeadlyFoez]

Wait so no one else but DeadlyFoez has seen the article?

For all we know, he could have made it up. :/

Shush it. He wouldn't do that to us!

Exception: the never-ending update, which he did do to us.

Today is not April Fools day. Plus, I don't know how to write any bit of a good article, especially one that isn't all about how fucking great I am. When it comes down to PR type stuff, I leave it all up to XFlak to write up everything, I just give him ideas on what basically needs to be said. I haven't even gotten the chance to talk with XFlak about this yet.

 

[ProtoKun7]

Yeah, but aside from your word there's no proof of any of this yet.

 

[DeadlyFoez]

Touche.

I'm sure that it will it /.ed very soon. /. loves this type of stuff.

 

[snikerz]

Dear snikerz,

I can hereby confirm that no such article has been published on Engadget. As an organization that supports the freedom of the press, we're also offended by the reproach of removing that article.

Yours sincerely,

Darren Murph
Engadget Managing Editor, Weblogs, Inc.
[email protected]

 

[DeadlyFoez]

Dear snikerz,

I can hereby confirm that no such article has been published on Engadget. As an organization that supports the freedom of the press, we're also offended by the reproach of removing that article.

Yours sincerely,

Darren Murph
Engadget Managing Editor, Weblogs, Inc.
[email protected]

Sounds to me almost like acknowledgement of said article with that wording....

 

[snikerz]

Electronics manufacturer Foxconn has mistakenly placed the private keys and other design related documents for the Nintendo Wii-U on the public portion of their FTP server that they use for hosting drivers and software. The mistake was noticed by an engineer early Wednesday, but not before the documents had been downloaded more than a dozen times.

FYI, there is no such FTP server. All their drivers are only available via HTTP download.

 

[TimS]

Hey guys, this is Tim Stevens, editor-in-chief at Engadget.

First off, we did not run this post. We've checked all our system logs and nothing like this ran on our site. Additionally, that post is not written using our grammatical and style standards. It just isn't an Engadget post. I don't know who made it up or why, but someone did.

Secondly, the supposed email from Darren Murph posted above is also a fake. I don't know why someone would fake a denial email but it is, indeed fake.

Finally, as proof that I am indeed the real Tim Stevens, I'll be tweeting about this shortly. I'm @Tim_Stevens and you can check it out yourself.

Thanks all for reading, we love you all -- even those making up junk.

-tim stevens
editor-in-chief, Engadget

 

[DeMoN]

Thanks for clearing that up, you even linked to here so I believe you.

Edit: Here is the official tweet: https://twitter.com/Tim_Stevens/status/220948945013182464

 

[ProtoKun7]

Hey guys, this is Tim Stevens, editor-in-chief at Engadget.

First off, we did not run this post. We've checked all our system logs and nothing like this ran on our site. Additionally, that post is not written using our grammatical and style standards. It just isn't an Engadget post. I don't know who made it up or why, but someone did.

Secondly, the supposed email from Darren Murph posted above is also a fake. I don't know why someone would fake a denial email but it is, indeed fake.

Finally, as proof that I am indeed the real Tim Stevens, I'll be tweeting about this shortly. I'm @Tim_Stevens and you can check it out yourself.

Thanks all for reading, we love you all -- even those making up junk.

-tim stevens
editor-in-chief, Engadget

Thank you for the clarification.

And with that, I declare this thread closed.