In January of 2001, Nintendo released an adapter that allowed Game Boy Color owners to play Pokémon online. Now, 22 years later, a hacker has found a way to hack into another player’s Game Boy by exploiting a bug in the game.
Xcellerator, an independent security researcher, said he has always been fascinated by “retro tech.”
“There's a feeling that it's possible to understand the whole system that you don't get with modern computers and devices. The Game Boy has been on my list for a while to dig into,” he told Motherboard in an online chat.
And so he did. In a blog post, Xcellerator explained how he tore down and studied the code behind the Mobile Adapter GB, the hardware cable that allowed the Game Boy to connect to the internet via a mobile phone, and the Mobile System GB, the service that ran the adapter and allowed players to square up with their characters in Pokémon Crystal.
The adapter worked by sending information back and forth between the Game Boys of the players facing each other in Pokémon Crystal.
Sign up for Motherboard’s daily newsletter for a regular dose of our original reporting, plus behind-the-scenes content about our biggest stories.
At first, Xcellerator tried several approaches that did not end up working, but he still documented them in detail in his blog post. Finally, after a lot of tinkering, he found a vulnerability he could exploit in the Japanese version of Pokémon Crystal, which he exploited via the mobile adapter.
“There's a bug in how Nintendo handles the names of your team that lets me trick the Game Boy into treating another part of the message as the next bit of code to execute,” Xcellerator said. “Putting it all together, by triggering this bug and injecting a ‘program’ of sorts into the messages, the Game Boy on the other end of the phone line is now under my control as it will execute the code I smuggled in.”
“The Game Boy on the other end of the phone line is now under my control as it will execute the code I smuggled in.”
In practice, Xcellerator explained that this means he now has full control of his opponent’s Game Boy, and “the sky's the limit really,” as he put it. In other words, this is a Remote Code Execution exploit, the cybersecurity lingo for a hack that lets the hacker run whatever code they want on the target machine or device.
Xcellerator said he could also cheat and beat opponents by making the game jump to the “out of health” mechanism when a Pokémon faints.
The Mobile Adapter GB adapter also came with a “Mobile Trainer GB” cartridge, which was used to configure dial-up username and password, and even provided a browser and email client. While analyzing how the adapter interacts with the game, Xcellerator found out that the email functionality was used to allow players to trade Pokémons online.
“The whole concept of sending a Pokemon trade in an email in 2001 is just wild to me,” he said.