When hackers revealed
an unpatchable exploit allowing deep system access in all existing Switch consoles back in April, some industry watchers worried that this would lead to widespread piracy for copyrighted games on the system. Additional work by
longtime Nintendo hacker SciresM, though, lays out the relatively robust protections Nintendo has in place to detect systems playing pirated games online and to permanently ban those consoles from Nintendo's network.
SciresM's lengthy Reddit post goes into a good level of technical detail on how Nintendo authorizes games and systems when connecting to the Nintendo network. The core of the protections comes from a unique encrypted client certificate stored in the "TrustZone" core of every Switch unit.
That certificate is used to identify the specific hardware being used to log in to Nintendo's servers, meaning a banned console will stay banned from the network permanently. That's a change from the 3DS, where users could use a fake token to get around a console-level network ban (at least until another ban came down, that is).
For Switch games themselves, Nintendo also uses encrypted certificates to verify that the game in question is legitimate when connecting online. In the case of physical game cards, that certificate is a unique,
RSA-2048-signed string that's written at the factory. That means "sharing of certificates should be fairly detectable, for Nintendo," SciresM writes, and the system fills in a 3DS security hole that involved the reuse of legitimate game-specific header information.
For downloadable Switch games, an encrypted ticket inside the game data integrates information about the game with the console's unique Device ID and the Nintendo Account ID used to purchase it. This method "actually perfectly prevents online piracy," SciresM writes, by cryptographically tying downloaded copies of games to the system and account first used to purchase them. If you download an illegitimate copy of a Switch game that was purchased on a different console/account, Nintendo can detect the mismatch as soon as you log in and immediately ban the console from its network.