The Tegra X1 is one of Nvidia's latest mobile processors, powering devices like the Nintendo Switch, Google Pixel C, and Nvidia Shield. It's not uncommon that vulnerabilities are discovered in SoCs, and that has just happened for the Tegra X1. Katherine Temkin and the ReSwitched hacking team have just released details about a security flaw, nicknamed 'Fusée Gelée,' that allows unauthenticated arbitrary code execution on devices using the Tegra chip.

You can read all the details at the source link below, but to summarize, Fusée Gelée takes advantage of a flaw in the Tegra X1's USB recovery mode. By sending a malformed command during the bootROM's USB control procedure, code can be copied into the protected application stack. This allows the attacker to run arbitrary code on the device.

The team put together a proof of concept for the Nintendo Switch, as seen in the image above. Since the Pixel C and Nvidia Shield use the same processor, it's very likely the vulnerability affects those devices as well. As written in the documentation, "Access to the fuses needed to configure the device's ipatches was blocked when the ODM_PRODUCTION fuse was burned, so no bootROM update is possible." In other words, the vulnerability can't be fixed on existing devices.

The team has provided all information about the exploit to Nintendo and Nvidia, so future revisions of the X1 probably won't be susceptible to the bug. In the meantime, you probably shouldn't store government secrets on your Shield or Pixel C.

Source: GitHub