TLDR; Switch may have network SoC that can be compromised... No exploit is even close in time for the Switch, but the possibility of a hardware-based hack that is difficult to fix may now exist.... Apple's iPhone and many, many other vendors' phones use Broadcom's HardMAC chipset, which provides a System-on-Chip that abstracts many low-level Wi-Fi details. Of course, that abstraction also results in complexity. On April 4th, the following chromium bug report log became public: https://bugs.chromium.org/p/project-zero/issues/detail?id=1046 On the same day, the following blog report was published, covering the substantial work involved. https://googleprojectzero.blogspot.com.au/2017/04/over-air-exploiting-broadcoms-wi-fi_4.html Also on the same day, Plutoo tweeted that NS on switch has fallen: https://twitter.com/qlutoo/status/849217859662348290 And, a user "coincidentally" asked if the Broadcom firmware file was available in decrypted form from this NS break. https://twitter.com/laginimaineb/status/849347353299603458 My guess is that user is familiar with the above SoC firmware break in BCM chips... NOTE: The above blog post is an excellent example of how difficult reverse engineering is, including the difficulty of creating a usable exploit from a confirmed bug.... Here's a bullet-point: Research may apply to the Switch's networking chipset Research was on BCM4358 Broadcom claims newer versions use the built-in memory protection units Switch uses BCM4356 (apparently older version in Switch) BCM firmware... puts ROM at 0x0 and RAM at 0x180000 parses network packets with an essentially static heap layout first bug corrupts internal heap, with attacker-controlled next pointer ... which is then allocated for next packet. has a vendor-unique command that, if heap is corrupted from above, allows attacker-controlled data to be written to that allocation... the location of which was attacker-controlled from the prior bug The ROM for the BCM line has a software-based version, with open source, making reverse-engineering of the SoC ROM slightly-less-than-impossible As you know, the Switch uses ARM TrustZone to at least some degree. But, access to memory by authorized peripherals (on at least some buses) occurs at the security level of the caller. Anyone want to guess if the Switch kernels use networking capability... e.g., for firmware updates?