Security issues regarding AltWFC servers or malicious DNS entries
Important things first: If you are playing on Wiimmfi, either using automatic DNS, the Wiimmfi DNS (22.214.171.124), the RiiConnect24 DNS (126.96.36.199) or other trustworthy DNS servers like the ones from Google, this message does NOT apply to you.
It only applies if you play on an AltWFC clone, or if you are using untrustworthy DNS servers or networks.
TL;DR at the bottom.
The Wii (and WiiU) is a relatively old console (14 years Wii, 8 years WiiU), and both of them haven't been receiving security updates from Nintendo in a long time. While that is a good thing when you are trying to mod / homebrew your own console or play online on Wiimmfi (easy access through the license agreement), it also means that more and more security issues are found in the console(s) and/or the games that can be abused.
In 2018, we noticed that there was a critical bug in Mario Kart Wii which could, in theory, be abused to run cheat codes / executable code on *other* consoles, just by being in the same Mario Kart Wii race as them. Obviously, that's a bad thing, because it would allow hackers / cheaters to brick your Wii if they wanted to. This critical bug was the main reason why we introduced new Wiimmfi patchers back then which fixed this bug. This means, when you play on Wiimmfi this bug cannot be abused and is no risk to your console anymore.
Also, in 2018, Fullmetal5 created the "str2hax" exploit, which is what is used to load the Wiimmfi patcher from the Wii End User License Agreement to let you play on Wiimmfi without homebrew. This works by abusing the License Agreement display, by sending executable code to the console instead of an HTML page. We (on the Wiimmfi server) are using that to send a Wiimmfi patcher to the console and autostart it, but a malicious attacker (if you were using a malicious DNS Sserver) could theoretically send bricking codes instead of a Wiimmfi patcher.
In addition to these two main bugs there have been a couple smaller ones as well, that could in theory be abused for similar things. All of them have been patched on Wiimmfi as well.
Until very recently, the bug that we've fixed with the new Wiimmfi patchers wasn't widely known. The codes needed to abuse that bug weren't public, and only a few people (MrBean (who first found the security issue), Chadderz, Wiimm and me; plus Star, a hacker who later found the security issue as well) knew how exactly the bug worked. We didn't want to make it widely known how it worked.
However, Star (sadly) decided to make his exploit code public, which means, that on unpatched servers (ANY non-Wiimmfi server) a malicious attacker could now brick your Wii just by being in the same Mario Kart Wii room as you; and the operators of that server could brick your console when you connect to their server. Similarly, if you use a malicious DNS server provided to you by an attacker, he could brick your Wii when you try to view the License Agreement.
Now what I'm saying does not mean that connecting to an AltWFC server will instantly brick your console. However, if the operator of that server would decide to do that, for whatever reason, they *could* absolutely do that. Similarly for playing on an AltWFC server. This announcement doesn't mean that your Wii will instantly be bricked when you play a race on AltWFC - but in theory, every player in your race would have the theoretical opportunity to do so.
TL;DR (Summary of the above)
- If you are playing on Wiimmfi, on a trustworthy network, with a trustworthy DNS server (Wiimmfi or RiiConnect24, or "standard" ones like Google), you are safe.
- If you are using a malicious DNS server operated by an attacker (or if the attacker controls your network), that attacker could brick your console when you view the EULA, visit a web page in the Internet Channel, or try to connect to an AltWFC-based server.
- If you are playing Mario Kart Wii on an AltWFC-based server, any player in your race could theoretically brick your console if they wanted to. This does NOT apply to Wiimmfi!