> Whether PC users, our core readership, will be interested in actually emulating Xbox One, looks unlikely. The 2013 system’s game library is largely overlapped in better quality on the PC platform.
And this explains why it's stayed unhacked so long. There was very little incentive to hack the system when the games are all playable on a PC. Pirates, cheaters, archivists, and hackers could just go there. Microsoft's best security measure was making something nobody cared enough about to hack in the first place
No? It is crowbar voltage glitching, but you're significantly underselling it here. The glitching does not affect key comparisons.
It's a double-glitch. The second glitch takes control of PC during a memcpy. The first glitch effectively disables the MMU by skipping initialization (allowing the second glitch to gain shellcode exec).
It's fascinating - how does one defend against an attacker or red-team who controls the CPU voltage rails with enough precision to bypass any instruction one writes? It's an entirely new class of vulnerability, as far as I can tell.
This talk https://www.youtube.com/watch?v=BBXKhrHi2eY indicates that others have had success doing this on Intel microcode as well - only in the past few months. Going to be some really exciting exploits coming out here!
> how does one defend against an attacker or red-team who controls the CPU voltage rails
The xbox does have defences against this, the talk explicitly mentions rail monitoring defences intended to detect that kind of attack. It had a lot of them, and he had to build around them. The exploit succeeds because he found two glitch points that bypassed the timing randomisation and containment model.
This attack is on the early models that didn't have those protections enabled. The researcher surmised that later models do indeed have anti-glitching mechanisms enabled.
You can't. Console makers have these locked-down little systems with all the security they can economically justify... embedded in an arbitrarily-hostile environment created by people who have no need to economically justify anything. It's completely asymmetrical and the individual hackers hold most of the cards. There's no "this exploit is too bizarre" for people whose hobby is breaking consoles, and if even one of those bizarre exploits wins it's game over.
And if you predict the next dozen bizarre things someone might try, you both miss the thirteenth thing that's going to work and you make a console so over-engineered Sony can kick your ass just by mentioning the purchase price of their next console. ("$299", the number that echoed across E3.)
The Xbox 360 was hacked in a simpler but nearly identical way [1]! Amazing that despite the various mitigations, the same process was enough to crack the Xbox One.
The earliest example I know of for this is CLKSCREW, but security hardware (like for holding root CA private keys) was hardened against this stuff way before that attack.
The presentation notes that this hack currently only works with the first revision of silicon. Later variants have more protections, like some anti-glitching tech that wasn’t quite debugged for the early units being enabled for later runs, and further changes with the security / reset subsystems being split into two separate cores with revised consoles like the the One X. So these would be more of a challenge, even if there’s now an angle of attack to investigate.
The new Xbox is going to be a specialized PC running Windows with full access to third party game stores (Steam, Epic, etc). It won't need to be "hacked" because anyone will already be able to run any software they want on it.
I mean, at that point it is a pre-configured gaming PC. Hardware that's uniform across millions of units provides advantages, both for developers and users. IMO that's a big part of why the Steam Deck outsells more powerful competitors: there are so many of them that it gets targeted by developers, so more people buy them, in a virtuous cycle.
Physical possession of a machine is pretty hard to make secure. It's a different level of secure, an order of magnitude less secure than remote attackers. This is expected?
This is great news. Hopefully this opens the floodgates towards emulation and homebrew. Not that there are really any exclusives, but it would be interesting.
Seems unlikely. Someone would have to turn this into a modchip, set up physical distribution networks (all very illegal under the DMCA), and it'd only work on the 2013 machines - Chen's team clearly anticipated this type of attack and were already working on mitigations around the time the Phat released. So as he says at the end, later silicon already has more glitch mitigations built in and has done for a long time. Current gen Xbox isn't even investigated but we can assume it's even harder. They were clearly paying for red teaming. Remember: ZERO software bugs in the boot rom.
Xbox One homebrew has effectively always been supported. Anyone can register a development account and boot the system into dev mode. IIRC in a talk about console security, a Microsoft developer noted that this was an intentional deterrent against hacking. An effort to split the community so that pirates and homebrew enthusiasts wouldn't have a reason to collaborate.
They did dumb things like limit memory availability in dev mode, though. Also they require a government ID to enable dev mode (but at least the quit charging $100 for it!). And they made it so you can't enable dev mode on consoles that are banned from Xbox services.
I understand it's still more than most console makers do, having dev mode at all, but it's maddening to me that Microsoft made dev mode so annoying and limited. I'd honestly just rather a hack be available so we have the option of using the entire memory or repurposing banned consoles.
Microsoft released a video that covers effectively all of the Xbox One security system, and it's referred to extensively in the talk. The specific methods of glitching don't require any insider knowledge.
They also told everyone they added more anti glitching to later hardware revisions; which by the process of elimination tells everyone they thought this was possible.
The whole initiative was a success when it gave them a year; an unqualified triumph when it gave them the whole generation; they really are not going to be to sad after 12 years.
Right, as Markus says - even gods can bleed. And he's right: Tony Chen's team did god-level work with the Xbox One security system, so what must have followed in the Xbox Series S is truly unknowable. I don't think there's even a tech talk on it. This talk is probably the most elite hacking talk I've ever watched. Everyone who worked on this stuff at MS can and obviously should be very proud of what it took - especially as this probably won't have any commercial impact on Xbox game devs or multiplayers.
I think this might be a good example of the fundamental misunderstanding of what "security" even is. It is never a binary state. Never was. And I think a lot of people don't really grok that and think that if a security block can be overcome in some manner then the thing is not secure.
Eventually Fort Knox will succumb to the unrelenting arrow of time and some future visitors will simply step over the crumbling wall and into the supposedly "secure" area.
i find this statement is often used as an excuse to not think about security at all. which is probably not what you intended here (i hope, although you did say "pointless"...), but some people parrot it for that purpose.
a) this was a security win. millions and millions of people had physical access to the device for over a decade
b) as others have said, security is not all-or-nothing. the xbox one is extremely secure, despite not being perfectly secure.
c) just because something eventually gets hacked does not mean security was pointless. delaying access is a perfectly reasonable security goal. delaying access until the product is retired and the successor is already out on the market is a huge win.
One of the DRM circumvention methods for the Xbox 360 involved precision drilling a specific depth into one of the chips on the board. Microsoft was very aware of the nature of physical access while designing this, haha.
I had many Xbox 360s with flashed DVD drive firmware back in the day. But as I never owned a slim console I had no idea the drill/Kamikaze hack was a thing until now.
This seems like an unqualified win for the security measure. The future value of Xbox One DRM is probably close to zero. They already got what they wanted out of it.
'pointless' is doing a lot of heavy lifting there.
This console went completely unhacked for 12 years, with this coming a solid 4 years after the hardware was discontinued. They kept piracy off the console for its whole lifespan, which was the entire point of these security measures. This is a massive success for the Xbox security team.
I can give you a piece of paper with a one time pad encoded secret, where the one time is physically destroyed. You can take all the time you want but you will not crack anything…
Thanks for the mention! I helped with the collateral damage exploit (wrote the PE loader).
I didn't ask but Emma -- who wrote the kernel-mode exploit -- and I would probably agree that Collat is not really what we would consider a proper hack of the console since it didn't compromise HostOS. Neither of us really expected game plaintext to be accessible from SRA mode though.
Given that it held up against 13 years of dedicated efforts by people with physical access to the device, many years after its successor was launched, it seems merited in this case.
"Extremely hard to hack" or "Hackable only after it's retired" don't exactly roll off the tongue, but they are not synonymous with "Unhackable".
In many cases the truth is simply that its not worth the time/effort to hack it, so only the most dedicated perverts(with a positive connotation) keep trying.
I agree, but also find it funny that by that standard the DRM in the original Google video streaming product was not hacked before the service was shutdown, after about 2 years :)
To the community it was unhackable, until very recently.
It's security measures held up so long that it appeared to be unshakable. There were no obvious flaws.
In hindsight it was hackable, but keep in mind how long it took. This console has long been obsoleted.
It was unhackable while it mattered. It was hacked 5 years after it no longer mattered. And all but the effectively beta release remain unhacked even now.
In the very strict interpretation probably nothing is unhackable, just not hacked yet. But one should also be pragmatic about what "unhackable" means in context. Without the power of hindsight, a consumer device that stayed unhacked for ~13 years can be reasonably called unhackable during this time.
We don't need to contribute to word inflation. There's "really hard," there's "nearly impossible," there's even "impossible – as far as we know." I don't think it shows a lack of pragmatism to assume a technological claim, made by a technology company, should't be taken at face value. On the contrary, I'd advise more pragmatism to anyone failing to disregard an "unhackable" claim made by Microsoft specially even after fixnum years without known exploits.
I think it's like calling a ship "unsinkable". Yes, you engineered it to not sink, in accordance with strict maritime standards no doubt, but just don't call it unsinkable. If you call it unsinkable you're just begging for a century of snickering at your hubris.
It has no relation to hubris whatsoever if the "unhackable" label is not something self-proclaimed at launch but something descriptively applied by other people who were unable to hack it. Nobody would have snickered if the Titanic were described as unsinkable by people who had been trying to sink it for 10 years.
> Nobody would have snickered if the Titanic were described as unsinkable by people who had been trying to sink it for 10 years.
Pedantic: I'm sure somebody would have snickered about "unsinkable" if the Titanic sank after 10 years. Pragmatic: if the "unsinkable" Titanic lasted 10 years (or at least to profitability) before being sunk by people intending to sink it, that might certainly count as being "unsinkable" for the time it hadn't sunk.
Hubris: Titanic was claimed to be unsinkable before it was launched.
I wish people would take statements in relative terms along with the whole context before attempting to refute them with a quick gotcha in absolute terms.
Obviously nothing is ever unhackable, not even Fort Knox, given infinite time and resources, and Microsoft never made such claims, this is just media editorializing for clicks and HN eating the bait, but Xbox One was definitely the most unhackable console of its generation. Case in point, it took 13 years of constant community effort to hack a 499$ consumer device from 2013. PS4 and iPhones of 2013 have also been jailbroken long ago.
Therefore, even the click-bait statement with context in relative terms is 100% correct, it truly was unhackable during the time it was sold and relative to its peers of the time.
This goes against information theory as a whole, and the point of words. How are you going to convey all this extra context to people who don't follow the space, and what word(s) do we use for something that is actually unhackable?
> Case in point, it took 13 years of constant community effort to hack it.
Can you attempt to quantify this effort in comparison to other game consoles? I'm not very familiar with the Xbox scene, but I would assume that there was a lot less drive to achieve this given that Xbox has never really had many big exclusive titles and remains the least popular major console (with an abysmally tiny market presence outside of the US).
As an aside, I wonder if Microsoft's extra effort into securing the platform comes from their tighter partnership with media distributors/streaming platforms and their off-and-on demonstrated desire to position the Xbox as a home media center more than just a gaming console.
>and remains the least popular major console (with an abysmally tiny market presence outside of the US).
TF are you on about? The xbox one of 2013(competitor of the PS4 who got hacked long before) had a ~46% market share in the US and ~35% globally. Hardly insignificant. And any Microsoft Product, even those with much lower market share, attracts significant attention from hackers since it's worth a lot in street-cred, plus the case of reusing cheap consoles as general PCs for compute since HW used to be subsidized. And of course for piracy, game preservation and homebrew reasons.
I again tap the sign of my previous comment, of uring people to stop jumping the gun to talk out of their ass, without knowing and considering the full context.
> Whether PC users, our core readership, will be interested in actually emulating Xbox One, looks unlikely. The 2013 system’s game library is largely overlapped in better quality on the PC platform.
And this explains why it's stayed unhacked so long. There was very little incentive to hack the system when the games are all playable on a PC. Pirates, cheaters, archivists, and hackers could just go there. Microsoft's best security measure was making something nobody cared enough about to hack in the first place
There was a time when it would have been a hot target, but everything the original modded Xbox could do could be done easier elsewhere.
Created a voltage drop that exactly occurred to be timed to the key comparison, then a spike at the continuation.
Irl noop and forced execution control flow to effectively return true.
B e a utiful
No? It is crowbar voltage glitching, but you're significantly underselling it here. The glitching does not affect key comparisons.
It's a double-glitch. The second glitch takes control of PC during a memcpy. The first glitch effectively disables the MMU by skipping initialization (allowing the second glitch to gain shellcode exec).
It's fascinating - how does one defend against an attacker or red-team who controls the CPU voltage rails with enough precision to bypass any instruction one writes? It's an entirely new class of vulnerability, as far as I can tell.
This talk https://www.youtube.com/watch?v=BBXKhrHi2eY indicates that others have had success doing this on Intel microcode as well - only in the past few months. Going to be some really exciting exploits coming out here!
> how does one defend against an attacker or red-team who controls the CPU voltage rails
The xbox does have defences against this, the talk explicitly mentions rail monitoring defences intended to detect that kind of attack. It had a lot of them, and he had to build around them. The exploit succeeds because he found two glitch points that bypassed the timing randomisation and containment model.
> It's an entirely new class of vulnerability, as far as I can tell.
It is know as voltage glitching. If you're interested our research group applies to Intel CPUs. https://download.vusec.net/papers/microspark_uasc26.pdf
Could a chip detect this and reset?
Yes, and the Xbox One has mechanisms to do just that. But they turned out to not be fully sufficient.
This attack is on the early models that didn't have those protections enabled. The researcher surmised that later models do indeed have anti-glitching mechanisms enabled.
You can't. Console makers have these locked-down little systems with all the security they can economically justify... embedded in an arbitrarily-hostile environment created by people who have no need to economically justify anything. It's completely asymmetrical and the individual hackers hold most of the cards. There's no "this exploit is too bizarre" for people whose hobby is breaking consoles, and if even one of those bizarre exploits wins it's game over.
And if you predict the next dozen bizarre things someone might try, you both miss the thirteenth thing that's going to work and you make a console so over-engineered Sony can kick your ass just by mentioning the purchase price of their next console. ("$299", the number that echoed across E3.)
The Xbox 360 was hacked in a simpler but nearly identical way [1]! Amazing that despite the various mitigations, the same process was enough to crack the Xbox One.
[1] https://consolemods.org/wiki/Xbox_360:RGH/RGH3
The earliest example I know of for this is CLKSCREW, but security hardware (like for holding root CA private keys) was hardened against this stuff way before that attack.
Has anyone heard of notable earlier examples?
I think it counts as effectively unhackable since it remained unhacked until five and a half years after its successor went on the market.
I wonder if, assuming they continue making Xbox, they find a way to mitigate this in the next generation.
The presentation notes that this hack currently only works with the first revision of silicon. Later variants have more protections, like some anti-glitching tech that wasn’t quite debugged for the early units being enabled for later runs, and further changes with the security / reset subsystems being split into two separate cores with revised consoles like the the One X. So these would be more of a challenge, even if there’s now an angle of attack to investigate.
> assuming they continue making Xbox
It sounds like that's the plan:
https://news.xbox.com/en-us/2026/03/11/project-helix-buildin...
The new Xbox is going to be a specialized PC running Windows with full access to third party game stores (Steam, Epic, etc). It won't need to be "hacked" because anyone will already be able to run any software they want on it.
What is the point of a device like this if the only difference is form factor? Why wouldn't someone just buy a pre-configured gaming PC?
I mean, at that point it is a pre-configured gaming PC. Hardware that's uniform across millions of units provides advantages, both for developers and users. IMO that's a big part of why the Steam Deck outsells more powerful competitors: there are so many of them that it gets targeted by developers, so more people buy them, in a virtuous cycle.
Physical possession of a machine is pretty hard to make secure. It's a different level of secure, an order of magnitude less secure than remote attackers. This is expected?
This is great news. Hopefully this opens the floodgates towards emulation and homebrew. Not that there are really any exclusives, but it would be interesting.
Seems unlikely. Someone would have to turn this into a modchip, set up physical distribution networks (all very illegal under the DMCA), and it'd only work on the 2013 machines - Chen's team clearly anticipated this type of attack and were already working on mitigations around the time the Phat released. So as he says at the end, later silicon already has more glitch mitigations built in and has done for a long time. Current gen Xbox isn't even investigated but we can assume it's even harder. They were clearly paying for red teaming. Remember: ZERO software bugs in the boot rom.
Xbox One homebrew has effectively always been supported. Anyone can register a development account and boot the system into dev mode. IIRC in a talk about console security, a Microsoft developer noted that this was an intentional deterrent against hacking. An effort to split the community so that pirates and homebrew enthusiasts wouldn't have a reason to collaborate.
They did dumb things like limit memory availability in dev mode, though. Also they require a government ID to enable dev mode (but at least the quit charging $100 for it!). And they made it so you can't enable dev mode on consoles that are banned from Xbox services.
I understand it's still more than most console makers do, having dev mode at all, but it's maddening to me that Microsoft made dev mode so annoying and limited. I'd honestly just rather a hack be available so we have the option of using the entire memory or repurposing banned consoles.
Very few exclusives. Couple of Forzas? Halo 5? Practically everything else available elsewhere in similar quality.
I'm just excited at the opportunity to re-purpose my old launch day XBone as some kind of little homelab linux box.
Note this only affects the very first original 2013 "VCR" hardware. Newer revisions and variants are still unaffected.
Is there any better format article or writeup? I couldn't find anything.
Marcus used to work for Microsoft, in the MSRC. I wonder if he used insider knowledge for this hack.
Microsoft released a video that covers effectively all of the Xbox One security system, and it's referred to extensively in the talk. The specific methods of glitching don't require any insider knowledge.
They also told everyone they added more anti glitching to later hardware revisions; which by the process of elimination tells everyone they thought this was possible. The whole initiative was a success when it gave them a year; an unqualified triumph when it gave them the whole generation; they really are not going to be to sad after 12 years.
Right, as Markus says - even gods can bleed. And he's right: Tony Chen's team did god-level work with the Xbox One security system, so what must have followed in the Xbox Series S is truly unknowable. I don't think there's even a tech talk on it. This talk is probably the most elite hacking talk I've ever watched. Everyone who worked on this stuff at MS can and obviously should be very proud of what it took - especially as this probably won't have any commercial impact on Xbox game devs or multiplayers.
This just again shows that given enough time skill, and resources, any security is pointless if the attacker has physical access to the device.
Better stop locking your doors, then.
I think this might be a good example of the fundamental misunderstanding of what "security" even is. It is never a binary state. Never was. And I think a lot of people don't really grok that and think that if a security block can be overcome in some manner then the thing is not secure.
Eventually Fort Knox will succumb to the unrelenting arrow of time and some future visitors will simply step over the crumbling wall and into the supposedly "secure" area.
I see security as a stopgap measure when there's no peace. The best "security" is not to need any in the first place.
i find this statement is often used as an excuse to not think about security at all. which is probably not what you intended here (i hope, although you did say "pointless"...), but some people parrot it for that purpose.
a) this was a security win. millions and millions of people had physical access to the device for over a decade
b) as others have said, security is not all-or-nothing. the xbox one is extremely secure, despite not being perfectly secure.
c) just because something eventually gets hacked does not mean security was pointless. delaying access is a perfectly reasonable security goal. delaying access until the product is retired and the successor is already out on the market is a huge win.
One of the DRM circumvention methods for the Xbox 360 involved precision drilling a specific depth into one of the chips on the board. Microsoft was very aware of the nature of physical access while designing this, haha.
I had many Xbox 360s with flashed DVD drive firmware back in the day. But as I never owned a slim console I had no idea the drill/Kamikaze hack was a thing until now.
This seems like an unqualified win for the security measure. The future value of Xbox One DRM is probably close to zero. They already got what they wanted out of it.
At this point the blip of free media coverage possibly makes this a net positive for XBox.
'pointless' is doing a lot of heavy lifting there.
This console went completely unhacked for 12 years, with this coming a solid 4 years after the hardware was discontinued. They kept piracy off the console for its whole lifespan, which was the entire point of these security measures. This is a massive success for the Xbox security team.
I can give you a piece of paper with a one time pad encoded secret, where the one time is physically destroyed. You can take all the time you want but you will not crack anything…
You don't need to attack the math, if you can attack the sender or thr receiver ['s hardware].
I’m pretty skeptical of that lesson. This took 13 years and it’s cheap mass-market hardware.
You do have a credit card, right?
It wasn't unhackable and decrypted versions of games already have been dumped. There was even a public exploit published years ago.
https://github.com/exploits-forsale/collateral-damage
What's new here is that this compromises the entire system security giving access to the highest privilege level.
Thanks for the mention! I helped with the collateral damage exploit (wrote the PE loader).
I didn't ask but Emma -- who wrote the kernel-mode exploit -- and I would probably agree that Collat is not really what we would consider a proper hack of the console since it didn't compromise HostOS. Neither of us really expected game plaintext to be accessible from SRA mode though.
One should never call something "unhackable" ...
Given that it held up against 13 years of dedicated efforts by people with physical access to the device, many years after its successor was launched, it seems merited in this case.
This talk about some of what went into it is fascinating: https://youtu.be/quLa6kzzra0
"Extremely hard to hack" or "Hackable only after it's retired" don't exactly roll off the tongue, but they are not synonymous with "Unhackable".
In many cases the truth is simply that its not worth the time/effort to hack it, so only the most dedicated perverts(with a positive connotation) keep trying.
It literally got hacked, that's what the article is about. It is NOT unhackable.
Microsoft stopped manufacturing in 2020. It was not hacked in its lifetime.
I agree, but also find it funny that by that standard the DRM in the original Google video streaming product was not hacked before the service was shutdown, after about 2 years :)
And to think that sometimes people doubt the wisdom of Google’s product-lifecycle decisions!
To the community it was unhackable, until very recently. It's security measures held up so long that it appeared to be unshakable. There were no obvious flaws. In hindsight it was hackable, but keep in mind how long it took. This console has long been obsoleted.
It was unhackable while it mattered. It was hacked 5 years after it no longer mattered. And all but the effectively beta release remain unhacked even now.
In the very strict interpretation probably nothing is unhackable, just not hacked yet. But one should also be pragmatic about what "unhackable" means in context. Without the power of hindsight, a consumer device that stayed unhacked for ~13 years can be reasonably called unhackable during this time.
We don't need to contribute to word inflation. There's "really hard," there's "nearly impossible," there's even "impossible – as far as we know." I don't think it shows a lack of pragmatism to assume a technological claim, made by a technology company, should't be taken at face value. On the contrary, I'd advise more pragmatism to anyone failing to disregard an "unhackable" claim made by Microsoft specially even after fixnum years without known exploits.
I think it's like calling a ship "unsinkable". Yes, you engineered it to not sink, in accordance with strict maritime standards no doubt, but just don't call it unsinkable. If you call it unsinkable you're just begging for a century of snickering at your hubris.
It has no relation to hubris whatsoever if the "unhackable" label is not something self-proclaimed at launch but something descriptively applied by other people who were unable to hack it. Nobody would have snickered if the Titanic were described as unsinkable by people who had been trying to sink it for 10 years.
> Nobody would have snickered if the Titanic were described as unsinkable by people who had been trying to sink it for 10 years.
Pedantic: I'm sure somebody would have snickered about "unsinkable" if the Titanic sank after 10 years. Pragmatic: if the "unsinkable" Titanic lasted 10 years (or at least to profitability) before being sunk by people intending to sink it, that might certainly count as being "unsinkable" for the time it hadn't sunk.
Hubris: Titanic was claimed to be unsinkable before it was launched.
I wish people would take statements in relative terms along with the whole context before attempting to refute them with a quick gotcha in absolute terms.
Obviously nothing is ever unhackable, not even Fort Knox, given infinite time and resources, and Microsoft never made such claims, this is just media editorializing for clicks and HN eating the bait, but Xbox One was definitely the most unhackable console of its generation. Case in point, it took 13 years of constant community effort to hack a 499$ consumer device from 2013. PS4 and iPhones of 2013 have also been jailbroken long ago.
Therefore, even the click-bait statement with context in relative terms is 100% correct, it truly was unhackable during the time it was sold and relative to its peers of the time.
This goes against information theory as a whole, and the point of words. How are you going to convey all this extra context to people who don't follow the space, and what word(s) do we use for something that is actually unhackable?
Literally unhackable? XD
> Case in point, it took 13 years of constant community effort to hack it.
Can you attempt to quantify this effort in comparison to other game consoles? I'm not very familiar with the Xbox scene, but I would assume that there was a lot less drive to achieve this given that Xbox has never really had many big exclusive titles and remains the least popular major console (with an abysmally tiny market presence outside of the US).
As an aside, I wonder if Microsoft's extra effort into securing the platform comes from their tighter partnership with media distributors/streaming platforms and their off-and-on demonstrated desire to position the Xbox as a home media center more than just a gaming console.
> Can you attempt to quantify this effort in comparison to other game consoles?
The person who hacked the original Xbox wrote a book on the topic, which they've since made free: https://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf
I too forget sometimes that Wii U existed.
>and remains the least popular major console (with an abysmally tiny market presence outside of the US).
TF are you on about? The xbox one of 2013(competitor of the PS4 who got hacked long before) had a ~46% market share in the US and ~35% globally. Hardly insignificant. And any Microsoft Product, even those with much lower market share, attracts significant attention from hackers since it's worth a lot in street-cred, plus the case of reusing cheap consoles as general PCs for compute since HW used to be subsidized. And of course for piracy, game preservation and homebrew reasons.
I again tap the sign of my previous comment, of uring people to stop jumping the gun to talk out of their ass, without knowing and considering the full context.