IT vendors cry foul at new Chinese security rules requiring built-in backdoors

Last year, the Chinese government started laying out new rules for technology products used by government agencies and banks, in part as a response to revelations about the National Security Agency’s exploitation of Chinese networks. Now, new rules for selling products to China’s financial sector have drawn a protest from North American and European technology vendors because of how intrusive they are—including demands for back-doors into hardware and complete source code.

In May, China’s State Internet Information Office announced it would institute a “cyber security vetting process” for screening all IT products sold in China. (The Chinese government also banned the use of Windows 8 on government PCs, citing “energy consumption” issues). Late last year, the government approved the final rules for vetting technology sold to key industries in China.

The New York Times reports that the rules include a requirement for turning over the source code of all software and firmware for computing and network equipment to the Chinese government, and providing management ports for the government to use to observe and control the equipment. The rules for banking systems require that 75 percent of technology products used in the financial sector be “secure and controllable” by 2019. Additionally, a new anti-terror law being drafted by China would require all companies doing business with Chinese citizens to keep that data within the country on servers that could be monitored by the Chinese government.

Read 1 remaining paragraphs | Comments

Exploit allows 3DS to run arbitrary Game Boy ROMs

The emulator behind the Nintendo 3DS' Virtual Console is usually locked down to only run ROMs officially distributed through the Nintendo eShop. A new exploit released this week, however, opens the platform to load and run any existing Game Boy or Game Boy Color ROM.

The exploit relies on a buffer overflow error in the current version of the 3DS' Web browser. When loaded with specific timing, this overflow can be used to replace a legitimately purchased Game Boy Color game in the Virtual Console's memory with a ROM loaded on an SD card or stored at a Web address, as long as both ROMs are the same size. Game Boy Advance games currently aren't supported by the hack, and in-game saving functions don't work on side-loaded ROMs, though users can store progress using the Virtual Console's save state function.

While the exploit seems to work with any 3DS firmware up to the latest release (9.4), it doesn't seem to work with the Web browser found on the new 3DS that will launch in the US next month. This suggests it will be trivial for Nintendo to patch the memory hole out in a future release of the 3DS firmware and Web browser.

Read 2 remaining paragraphs | Comments