Is Nintendo DS wifi Safe?
January 15, 2006 12:13 PM   Subscribe

Nintendo DS wifi questions...

My son has a Nintendo DS and just got a couple of games for Christmas that he can play wirelessly on the Nintendo wifi network. My husband set it up and it seems to work (he was playing Mario with a kid in Japan this morning).

Our questions are more regarding the security of it all. We have a router with a firewall, as well as running the Windows XP firewall (DSL connection). We just wondered, though, is it possible for someone to give us a virus or hack into our computer network through this Nintendo DS connection? There are two ways to run with people you know with a friend code and one with anyone that happens to be playing at the same time. Is one of these methods safer than the other? Anything else we should be aware of that we may not be thinking of?
posted by Mrs. Smith to Technology (12 answers total)
are you using a wireless router or Nintendo's own USB wifi connector?
posted by mcsweetie at 12:47 PM on January 15, 2006

Wow, someone sure did a good job of giving you the willies about using the net. Adding a DS to your network does not impact your security in any way that I can think of. All matches are set up through Nintendo's servers, there is no difference in the risk between a friend code and a random match, as neither of them have any more risk than browsing the web or anything else you might do. As a closed, single-purpose design, the DS is far less vulnerable to attack than your PC. If you want to worry about your security, worry about the PC. Your DS is clean as a whistle, no matter how you use it.

Disclaimer: Anything's possible, but no-one has yet heard of what you're worrying about happening, and if it happened, it would be big news in the geek press.
posted by ulotrichous at 12:51 PM on January 15, 2006

On preview, if you added a new wireless access point to your network to enable this, your access point could be unsecure (and probably is by default), that could allow people immediately nearby to join your network behind your router, but outside your PC's firewall. If you're using Nintendo's USB dongle, the worst case scenario there would involve someone hiding in the bushes with a DS who really wanted to play Mario Kart online without your permission. Or maybe Animal Crossing.
posted by ulotrichous at 12:57 PM on January 15, 2006

We're using our router, not the Nintendo USB connector, so yes, we added a new access point. My concern is that someone could use that access point to get into the computers. I'm not concerned at all about someone hacking my kid's DS.
posted by Mrs. Smith at 1:21 PM on January 15, 2006

have you enabled any sort of encryption on your wireless router? currently, the nintendo DS only supports WEP encryption is considered relatively weak by security dudes, but it's better than nothing and will make war drivers just lookin' to get online move on and find a network without any encryption. check your access point's manufacturer's web site for step-by-step info on how to enable WEP (you'll also have to configure it on your DS but it's a snap).

a combination of XP's built-in security powers and a wireless router with NAT and some kind of encryption is actually a pretty secure combination. as long as you keep up with windows updates, you'll be fine.
posted by mcsweetie at 1:29 PM on January 15, 2006

If you had the wireless router previously, say for using with a wireless laptop or something, it's just as safe as it previously was. Actually in all truth, if you use WEP encryption on your wireless network, it's marginally easier to break the encryption because the DS adds to to the sum total of packets flying around in the air. WEP is inherently weak, and given time, the rights tools, and ingestion of enough of the packets going from device<>router, it can be broken.

Would I worry ? Not particularly. Turn on MAC address control (consult routers' manual) and a decent WEP password (nothing in the dictionary) that changes semi-frequently. Unfortunately WPA isn't supported on the DS as far as I know.

Most of the time the effort involved to break on to your wireless network far outweighs the benefits. There are plenty of folks who leave their APs wide open, and other folks usually use that path of least resistance. :-)
posted by GreenTentacle at 1:30 PM on January 15, 2006

oh one more thing, when you're configuring your router, you'll probably have to login via your web browser. if you haven't already changed the login and password, do that right away! on the odd chance that someone does crack your WEP key, they can login to your router using the default username and password and wreck all kinds of havoc.
posted by mcsweetie at 1:33 PM on January 15, 2006

This is pretty unlikely. For this to happen your computers would have to be hackable to begin with. So lets assume you have an unpatched version of XP running, thus someone can use the LSASS vulnerability to hack the machine. Of course, if you computer is patched this will not work.

Okay now that we have a vulnerable computer, we're still okay because you're router is not going to let packets from the outside access your File and Sharing ports AND Windows Firewall will only accept those packets from your subet.

What's a subet?

Okay, your computer has an IP address. Lets say its Everything on your network with the same three octects (192.168.1) is on your subnet.

Now when you DS connects it gets an IP address on your subnet. Lets say

Now lets toss in the highly unlikely event that Nintendo's servers have been breached. Now toss in the unlikely event that these hackers are also able to hack the client software on the DS, in this case MarioKart, to send the LSASS exploit to your computer.

In this highly unlikely (if not very difficult considering the game and nintendo are closed systems) scenario, yes, you're unpatched computer has just been hacked.

Historically, there has been no such security breaches for the PS2, Xbox live, etc. So you've got that going for you.

Now lets say for the sake of argument there is a DS hack. But your kid still wants to play. You could do two things to protect your computers from a malicious DS. (malicious DS, how amusing).

Set your Windows Firewall on your PC so that it does NOT allow File and Printer sharing with the subnet. Now the DS can't even talk to it. Of course this will break any file and printer sharing you have. You can manually add IPs of other computers. For instance if you know your laptop is then you could add that to the allowed list for File and Print sharing in Windows Firewall.

Another thing you can do is use the DMZ setting on your router to put the DS in a DMZ. In a DMZ the DS cannot talk to anything on your subnet, its treated like an external device. Note, some implementations of DMZ do not work like this, so you'll have to talk to your manufacturer about this.

Anyhoo, its a pretty safe, but you always have the option to use your windows firewall to protect you from devices on your subnet.
posted by skallas at 1:49 PM on January 15, 2006

As others have said the biggest thing to worry about is to make sure your husband has set WEP encryption on the router. Without WEP most wireless routers let anyone access them. The DS supports WEP encryption with no problems.
posted by skallas at 1:51 PM on January 15, 2006

I concur with the "safe if you're using WEP" crowd. I set my son's DS up on our wireless network a couple weeks ago and it went in just as easily as any of the standard machines I've added, even entering the long-ass WEP key on that DS-emulated keyboard.

I also go a step futher and add the DS's MAC address to the allowed list in the router.

As long as you have some reasonable level of encryption enabled at the router, I think you should feel pretty safe.
posted by hwestiii at 5:33 PM on January 15, 2006

The Nintendo handset works only with WEP encryption. WEP encryption has been broken. It is now useless. If your network supports the DS, then any random passer-by can crack your network within 5 minutes.

They can then use your connection to send spam and do otherwise illegal things, for which YOU will take the heat.

You should switch to WPA, the new form of encryption, immediately. It will break the DS' ability to go online at your house, but IMO, that's not really an issue compared to going to court for music piracy or jail for hacking.

If you have the technical chops, setting up a second wireless access point on a SEPARATE WIRE from your internal network would be possible... there are four outgoing TCP ports you have to open to the whole Net, and you have to allow all UDP traffic, both in- and out-bound. (the Nintendo wifi site has details in the FAQ).

Outbound UDP isn't too dangerous. All the nasty stuff I know of is carried via the standard TCP, which you would almost completely block. If all you have on that wireless network is the access point and the DS, that would be a pretty safe setup, even though the encryption is weak. Even if someone hacks in, they can't really do much useful... except play DS games, anyway. :)

The knowledge in how to DO this, however, is rather arcane, and it's not likely you'll be able to do it with a standard access point/firewall. You'd need an AP that supported two internal networks, and I'm not aware of any cheap ones that do.

It was totally irresponsible for Nintendo to release a WEP-only device in 2004.
posted by Malor at 6:22 PM on January 15, 2006

Er, 2005. :)
posted by Malor at 8:35 AM on January 16, 2006

« Older Why do I shed?   |   Best international multi-city airfare? Newer »
This thread is closed to new comments.