If your child has a Nintendo Switch, you need to know that with one easy trick your kids can reset your parental controls password in less than two minutes.
So for Christmas this last year I got my kids a Nintendo switch. We had Gameboys and DS’s in the past, and they were mostly harmless, so I went ahead and bought the Switch, assuming the same level of separation and a basically sterile interface. When we got it opened up and running, I was amazed. Not only is this the most advanced handheld I have ever used or seen, but this thing is also as wide open as a PC. Your kids can get themselves at no end of trouble on one of these. However, they do offer parental controls, which I immediately set. I restricted the apps and set time limits. The controls seemed really easy to use, and also quite feature complete. My kids really didn’t like them at first, but then they just warmed up to them. No issue. The problem started when my oldest asked to put Fortnite on it. I don’t mind him playing. I play also, but I also let the two younger brothers use the Switch with very little oversight as the parental controls seem to work so good. Therefore I told him no, the Switch would stay with only games appropriate for his brothers and we would have one device that did NOT have fortnite. There was some brief pushback, and then it all was fine. I assumed this was a closed topic and I put it out of my mind. For a little while.
Today, my youngest brought me the Switch with a game question, and when I looked at the screen, there was Fortnite. I didn’t say anything, I just went into parental controls to restrict it until I could sort out exactly how it got there, or I should say, I TRIED to go into parental controls. My password didn’t work. I started down the road to changing my password, when I stopped to make dinner. My oldest son came looking for the unit, found it with me on it, and “realized he may have done something really stupid.” We sat down to talk about it, and he explained what he had done. The short version is, he changed the password. When I asked him how he showed me, and it took less than two minutes. Seriously, you, or your kids, can walk past your Parental controls password in less than two minutes.
I wrote an article about the root of this problem a while back called “Your kids aren’t smarter than you, just more motivated” . In that I detailed exactly how your kids can go to Google and just type in the question: “How do I …(whatever they want to do)” and Google will send them immediately to all the webs knowledge on how to do that thing. That is really powerful as a learning tool, your kids can really use this to grow their knowledge, however when what they are trying to learn is something malicious, that data is there too, and Google serves it up on a platter, in this case, complete with Youtube videos of exactly how and where to do this the easiest.
In the case of Nintendo Switch hacks, it took them to a website that literally generates the Master Key for the switch by typing the inquiry number into the site. The exact steps, complete with photos will follow.
First, enter the wrong pin about six times in a row.
Second, you will get a warning that says you have entered the incorrect PIN too many times, wait 30 minutes before trying again. At that point, at the bottom of the screen on the right side, there are three options, Help, Change to Keypad Input, and close. Select the middle option, “change to keyboard input.”
Third, you will see a screen with a big OK button, push it.
Fourth, when you go back to the disabled login screen, push the “Plus” button on the top right close to the X button. When you do you will get a new screen about disabling the parental controls, scroll to the bottom. There you will find your inquiry number.
Fifth, on any device with a browser, navigate to the site: mkey.salthax.org . There you will find a few simple questions to answer, Device type, System Date, and Inquiry Number. Fill in all these boxes, including that inquiry number that is now present on the screen of the switch still from step four above. This will generate a Master Key.
Sixth, enter that master key generated in the browser in step five into the Master Key box on the Switch. The Switch will ask you for a new PIN, and after you enter a new PIN of your choosing, you are immediately able to disable all parental controls temporarily.
Lastly, here is the other real danger in this, when Parental Controls are Off or disabled, first, I did NOT get any notification on my phone app that I use to set up and manage my switch parental controls. At all. My parental controls password on the switch is changed, and I AM NOT NOTIFIED! This is unbelievable. When my son hacked into his own Xbox account to do the same thing, he got thru, but I got an email and was able to go immediately regain control. NO NOTIFICATION! Shame on Nintendo! Secondly, There is nothing visible on the Switch itself or in the app on my phone that is synced to it stating that anything was changed. Also, the app on my phone didn’t list the parental controls on the device as “Temporarily Disabled.” Anyone of these flags could have saved me much trouble.
So, like everything else here, I have shown you the problem, how do we fix it? Well, the fastest, most effective way I have found so far, is to log into the admin console on your router and add the website: mkey.salthax.org to the Always Blocked list. Now, at least at home, the kids can’t get the master key as any browser they use will be prevented from opening it. If you use a service like Boomerang App or JaMF to administer global settings on your kids iOS devices, you can add the site to thier blocker also. Lastly, you can add the side to the blocked list on Google Family and you Microsoft Family accounts. Hopefully, that will make them unable to open the site and therefore think that the site is down, the instructions they googled don’t work, and they give up. In reality, they probably won’t, but that is the hope. Also, write to Nintendo. Shame the heck out of them. File support tickets with them about this. To use the parental controls on the Switch, you need to have a smartphone app.
Recommend them to use that same app for two-factor authentication. If they did that, then this whole master key would be useless if the user didn’t have access to you, your passwords, your device, and your control app. It still wouldn’t be perfect, but nothing is. They can act like this is a hard computer science problem but it realy isn’t every game platform around has solved it, and none with this big of a hole. Not Steam, nor Xbox Live, or iOS, play store, or even Blizzard have all solved this problem safely.
Also, always remember that your kids are not smarter than you, but they are more motivated. Stay vigilant, stay engaged, and remember, If they get quiet, they are probably up to something not right. Therefore if they are always bugging for access to one thing or another, and then they stop begging for it, they probably found a way around it. They didn’t stop wanting it, they just found a way to get it without you. Active parenting is the only answer for active kids in an active world.
Categories: Kids and Tech