Source Link Privacy.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.
Update: The ESP32 “backdoor” that wasn’t.
Does anyone know where it is that we can find these new commands? I have an esp32 dev kit just a few feet away from me as i read this. It might be interesting to know what these new product “features” are.
This isn’t a backdoor. Just a company trying to make name for themselves by sensationalizing a much smaller discovery.
Seriously this. Every single IC which has digital logic contains some number of undocumented test commands used to ensure it meets all the required specifications during production. They’re not intended to be used for normal operation and almost never included in datasheets.
If anyone’s ever followed console emulator development, they know those undocumented commands are everywhere. There’s still people finding new ones for the N64 hardware
Edit: I should say undocumented behavior, not necessarily new commands
Please update the title of this post to mention the update
How so?
Idk maybe specify that it was determined to not be a backdoor. Right now it reads as anti-china fear mongering.
Could be propaganda as well - why not scare the monkeys with the bad Chinese? Without ESPs the market is so much easier to control.
Note:I use both the ES8266ex and different ESP32s in my projects.
You can edit post titles as well as content (even images!) on Lemmy.
Haha. I wear cheap Chinese bluetooth literally on my skull like 95% of the time, web when sleeping.
Hope they enjoy my thoughts.
Gotta blame China to get upvoted on Lemmy.
Or use a precise title. It’s not a backdoor or a “backdoor”.
I hate it when an attacker who already has root access to my device gets sightly more access to the firmware. Definitely spin up a website and a logo, maybe a post in Bloomberg.
We really should be pushing for fully open source stack (firmware, os) in all iot devices. They are not very complicated so this should be entirely possible. Probably will need a EU law though.
I 100% believe firmware should be open source no question about it. There’s so many devices out there especially phones and iot devices that just become e-waste because you can’t do anything with it once it’s not supported if it was open source and documented in some way then it could be used. I have like five cheap phones that I got because they were so cheap but once they lost support they’ve become completely useless even though they still work.
But then big companies wouldn’t be able to keep milking the consumer via planned obsolescence. Won’t somebody think of the shareholders?
This is about silicon. Undocumented instructions have just been found in it but they are not executable unless the ESP32’s firmware uses them. Firmware cannot be edited to use them unless you have an existing vulnerability such as physical access or insecure OTA in existing firmware (as far as researchers know).
Backdoored devices are useful for people who can impede that.
And the way EU is approaching privacy, surveillance and all such, - oh-hoh-ho, I don’t think there will be a EU law.
Yeah tons of weird little private softwares never get updates, but they aren’t making anyone money either
Open source stack will not prevent this. It’s not even a backdoor, it’s functionality that these researches think should be hidden from programmers for whatever reason.
Open source devices would have this functionality readily available for programmers. Look at rtl-sdr, using the words of these researches, it has a “backdoor” where a TV dongle may be used to listen to garage key fobs gasp everyone panic now!
thats a very fair point, I had not seen anyone else make this one But the problem is that in this case, this functionality was entirely undocumented. I dont think it was intended for programmers.
Now if the firmware was open source, people would have gotten to know about this much sooner even if not documented. Also such functionality should ideally be gated somehow through some auth mechanism.
Also just like how the linux kernel allows decades old devices to be at the very least patched for security risks, open firmware would allow users of this chip to patch it themselves for bugs, security issues.
Yeah, of course, it would be better in many ways if the firmware wasn’t closed.
This turned racist / xenophobic real quickly.
There have been several other posts about this without mentioning China at all, especially in the post itself.
No where in the article does it say “chinese”, literally anywhere.
Check your racism.
Edited to remove where I stated it was manufactured. I did a quick search and found a couple mentions, but did not thoroughly check sourced. Apologies.
I agree we shouldn’t be racist against Chinese people, but you’re ignorant. From wikipedia: ESP32 is created and developed by Espressif Systems, a Chinese company based in Shanghai, and is manufactured by TSMC using their 40 nm process.It is a successor to the ESP8266 microcontroller.
So it’s designed/developed in China and manufactured in Taiwan; not China.
Dog whistling.
This has nothing to do with the chip or who makes it.
It’s the way it’s written.
You missed the point.
Gold medal for your performance in mental gymnastics.
Like how I clearly said the article had been posted before without mentioning China, especially in the article itsef, never mind in the post? Which obviously shows it was more about the title of the post?
I bow to YOUR mental gymnastics and ignorance combined with brute confidence.
Tell me you don’t know anything about anti racism without telling me you don’t know anything about anti racism.
Read a book.
You’ll sound less stupid (maybe).
But you don’t think buying a Tesla, Tesla stock, makes you a Nazi or a Nazi sympathizer so…
This is why we’re in the state are in.
Poison thrown at the wrong people.
I’m not stealing your money, firing you, taking away your rights as a human being. I don’t think you’re a ‘parasite’.
I’m not the 1%, neither are you.
Focus on the real enemy. Then things will get done.
I actually wanted to keep the title short, but I think it would be better to edit the title to avoid any confusion to make it clear that it’s manufactured in China, rather than saying it in the current way.
Edit: I edited the title to reflect the details better.
So instead of blatant racism based on a lie, you’re just going to dogwhistle racism based on a lie.
Thank you, your explanation / edit is much appreciated 👏 🥳 ❤️
💜Thank you for correcting me.
I edited it now 😄
Also, thank you for showing people that there’s space for these types of comments that lead to a pleasant and meaningful exchange!
This means more to me than you know 🥹
Appreciate you!
❤️🩷🧡💛💚💙🩵💜🤎🖤🩶🤍
No. Fuck the Chinese. All 17billion of them.
/s
17billion of them.
Xi had a clone army?
🤔
Well… Shit.
There are so, so, so, many ESP32’s in not just my house, but practically everyone I know.
There outta be fines for this BS.
You’re fine. This isn’t something that can be exploited over wifi. You literally need physical access to the device to exploit it as it’s commands over USB that allow flashing the chip.
This is a security firm making everything sound scary because they want you to buy their testing device.
You literally need physical access to the device to exploit it
You don’t need physical access. Read the article. The researcher used physical USB to discover that the Bluetooth firmware has backdoors. It doesn’t require physical access to exploit.
It’s Bluetooth that’s vulnerable.
I just re-read the article and yes, you still need physical access.
The exploit is one that bypasses OS protections to writing to the firmware. In otherwords, you need to get the device to run a malicious piece of code or exploit a vulnerability in already running code that also interacts with the bluetooth stack.
The exploit, explicitly, is not one that can be carried out with a drive-by Bluetooth connection. You also need faulty software running on the device.
“Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections.”
I of course don’t know details but I’m basing my post on that sentence. “Backdoor may be possible via … rogue Bluetooth connections.”
Looking at the article, the exploit requires you to be able to send arbitrary data to the Bluetooth device over a physical connection. This means that a properly secure application will be protected from drive by connections, but if the application has an exploit that either lets an attacker write arbitrary values to the Bluetooth controller, or more likely contains a general arbitrary code execution exploit, then you could use this to rewrite values to the chip that would let you “persist” certain changes to the Bluetooth chip that would be difficult to notice.
I would consider this a moderate concern, as this will definitely increase your options if you’re looking to be able to make an attack that targets a specific device and this gives you a few additional persistence options, but any attack would have to be designed for a particular program running connected to a Bluetooth chip.
A more likely concern in my opinion would be the possibility of a supply chain attack, where someone compromises a Bluetooth chip that they know will be used to construct a particular part.
I don’t think that it’s super likely that either of these will affect the average person, only corporations and governments where espionage is an actual threat, as if you can find a Bluetooth IOT device that you want to mess with, like a Bluetooth enabled door lock, then you’re more likely to be able to find an arbitrary code execution attack which causes it to unlock immediately. Being able to spoof a different Bluetooth device isn’t likely to give you that big of an advantage when you’re working with a device that was already vulnerable for a different reason.
thank you for the nice analysis. this should really be voted highest.
Thank you for the analysis, very insightful!
Do you reckon this is more of an oversight or bug in the BT stack, or a deliberately places backdoor as the title seems to suggest?
From what I can tell from looking at it, this seems like something deliberately left in, but not for malicious reasons. The op codes referenced simply give access to lower level parts of the boards programming. ESP32’s are already a user programmable board, a valid use case is to run your entire application on one if the code being run is lightweight enough to not interfere with the Bluetooth code. Either during development, or during runtime, these undocumented codes are likely used to run specific commands on the board.
The actual issue as far as I can tell, since normally it’s valid usage to rewrite the board over USB, is that ESP32 boards also offer ways to encrypt device code, and require it to be signed, and you are presumably able to mess with this in order to dump code that was expected to be securely encrypted, and overwrite code on devices that was intended to require signing. (https://docs.espressif.com/projects/esp-idf/en/latest/esp32s3/security/secure-boot-v2.html#background)
Proving what someone was thinking when they programmed something is extremely difficult unless you can find written evidence of someone specifically saying if they did something or not, but this all seems like a legitimate minor exploit in a device that wasn’t built by, or intended for, people who are working against highly resourced attackers. This is still not a concern for normal people who aren’t concerned about being attacked by spies, and if a nation state wanted to hide a vulnerability in something then there are far easier paths to take than one that only works if you can steal a microcontroller so you can connect to it over USB.
Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections.
I really wish these articles just tell us what these scenarios are. I understand companies need publicity or need to sell software but if it isn’t replicatable and the article says “might be possible” it kind of sounds like a secuity sales pitch.
This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access.
This part basically sounds more like a software issue where the attacker has a way in already. The system is already vulernable at this point before using the exploit found.
I don’t think there’s enough information out yet.
It is very interesting though.
This is about silicon. Undocumented instructions have just been found in it but they are not executable unless the ESP32’s firmware uses them. Firmware cannot be edited to use them unless you have an existing vulnerability such as physical access or insecure OTA in existing firmware (as far as researchers know).
I do have a few outside. Probably not the best security-wise. Haha. Those are the first to get patched when one comes out.
Security wise, unless you are being specifically targeted by someone, you are almost certainly fine. And if you are being specifically targeted, I think someone hacking your ESPs is the least of your worries. A malicious attacker that knows your physical location can do a lot more scary things than just spying through ESPs.
Just wait until a jester creates a software that sends an erase flash backdoor command to any BT device it sees.
One of my friends is a type I diabetic. He had some sort of smart thingamajig in his teenage years for measuring blood sugar, so you could monitor it over time or warn your family if you’re in some critical situation.
The jester may mean simply to prank, but they may well have blood on their hands if they fuck up medical devices such as that one.
And runs with an USB cable flashing other peoples ESPs to ruin everyone’s day
In that case, how long til some open source project uses it to make a custom firmware to bypass the manufacturer bs and integrate my cheap IoTs seamlessly into Home assistant?
You can already reflash a lot of devices for this purpose. And you could use esp-home to customise once reflashed
Really? Where can I find this
Heres the top google link i found: https://randomnerdtutorials.com/how-to-flash-a-custom-firmware-to-sonoff/
Esp-home is available as a HA addin, docs here: https://esphome.io/
Esp-home also works with the older esp-01 - it was released as a wifi module so there are only two gpio’s, but thats enough for a lot of home automation stuff.
Here’s one i have connected to HA, where HA uses rest-api to capture some data from a game called tacticus, and it shows my available tokens for guild raid and arena
Thanks
Tasmota is another option if they have your specific device in their list. Otherwise you have to do some debugging to figure out what gpio or i2c address to use.
I think we are basically already there with ESPs :D.
Wrong. Read the analysis. It is a BT vulnerability. One can probably design a cheap attack system that just sends a erase flash command to any BT device in reach, instantly bricking every BT enabled ESP32 device.
Just reread it and no, it’s not a BT vulnerability. The “erase flash” command is something that has to be done by software running outside the BT stack. You can even see that inside the slides. The
UsbBluetoothsoftware is connected to the device with the flawed bluetooth chipset.The vulnerability is that if you have this chipset and compromised software, someone can flash the chipset with compromised flash. They even say that it’s not an easy attack to pull off in the article.
In general, though, physical access to the device’s USB or UART interface would be far riskier and a more realistic attack scenario.
In otherwords, the attack is something that can only be pulled off if there’s also a security vulnerability within other parts of the hardware stack.
Yeah, that’s not the main concern.
Too much fanfare and too little real info shared to be of any value. Sounds more like an ad than infosec
Exactly what it is. A gross example of company trying to get their name out their by sensationalizing their findings.
Seriously wtf did I just try to read? It sounded like AI slop.
I’d like to know if this is just a firmware update or unfixable, but sadly this seems just an ad rather than news
There is nothing to “fix”. Undocumented instructions have just been found in the silicon but they are not executable unless the ESP32’s firmware their owner flashed to give it a purpose uses them. No pre-2025 firmware that we know of uses these instructions, and they might turn out to be buggy so compilers might not adopt them. If they turn out OK, the documentation of the instruction set will need an update, and compilers will be able to take advantage of the new instructions.
Here’s an article with a bit more detail… but I’m still unclear whether these backdoor commands are hardware circuits or firmware logic.
Bleeping Computer: Undocumented “backdoor” found in Bluetooth chip used by a billion devices
Thanks for the link, this article is more clear compared to the posted above.
I’m more interested to the scope of the exploit whether it could touch the flash of the controller or not as you can also do OTA update through the BLE component.
Solid article. I imagine the folks at the cyberwire podcast will be doing more digging over the weekend for a solid summary come Monday.
deleted by creator
Even if it were fixable, it would be up to manufacturers to push updates. I doubt any really care enough.
It is not easy to determine how fixable this is. IIRC, the ESP32 has the wireless stack hidden from user space, and I am not sure if it is a blob included during link time, or if it is stored in a ROM of the chip. I do have the chips and the development enviroment in my studio, but (luckily) I decided to use a different chip for my project.
But I know there is a load of systems using either the ESP32 as their main processor, or as an auxiliary processor to add WiFi or BT capabilities, so this really is a big oh shit moment.
The Chinese adding back doors into their software/hardware.
Say it ain’t so!
It ain’t so.
To use the “backdoor” an attacker needs to have full access to the esp32 powered device already.
It’s like claiming that being able to leave your desk without locking your PC is a backdoor in your OS.
Yes, this is about undocumented instructions found in the silicon but they are not executable unless the ESP32’s firmware uses them. Firmware cannot be edited to use them unless you have an existing vulnerability such as physical access or insecure OTA in existing firmware (as far as researchers know).
It is good to question the “backdoor” allegations - maybe the instructions’ microcode was buggy and they didn’t want to release it.
Say it ain’t so
Your bug is a heartbleeder
Say it ain’t so
My NIC is a bytetakertech backdoors are only okay when us good guys require em
China ain’t our friend but neither is our own regime, I don’t get the normies only caring about privacy and security when chinaman do the thing
Then they tuck their dicks because they got nothing to hide when domestic spook is doing the same
pathetic and intellectually disingenuous
Where did anyone say anything remotely like that?
I think it’s sarcasm mate.
I wouldnt be so sure about that. I’ve heard people say stuff that was mindbogglingly dumber than that, completely seriously.
it was in fact sarcasm
thats what /s is for.
How about all tech backdoors are bad and we should aim to use and make software and hardware that is ethically produced and usable without selling out your privacy and security?
Like a PRISM for China, is every powerful country just backdooring each other?
Thats hot.
One more reason to have actual open-source drivers instead of binary blobs…
Not the first time a backdoor was found on Chinese made hardware and it won‘t be the last time. Decoupling can‘t happen quickly enough.
Which government’s backdoors would you prefer?
“We know you have a choice in oppressive governments, so we appreciate you choosing ours.”
None of them, that’s why the only things in my house that connect to the internet are my computers, game consoles, and cell phone
Assuming you’re not joking here, if your computers are any way modern they almost certainly have a backdoor.
Obviously, but I trust my Linux mint laptop a hell of a lot better than my aunt’s XIPPLG branded wifi cat feeder that she bought off Amazon
You probably shouldn’t, check out Intel management engine and AMD secure technology.
From what I understand, the only way to mitigate the risks relating to IME or AMD PSP is to simply not have a computer in the first place. Like I’ve said elsewhere twice now, it’s worth mitigating some risks even if we can’t mitigate all of them. I don’t want the most advanced computing device in my home to be an astrolabe.
I don’t think Lemmy shitposters are getting them premium zero days used on them.
This isn’t some crazy zero day, it’s pretty well known. Intel management engine and AMD secure technology.
Not sure if joking or naive…
Like I said 6 hours ago, just because I can’t mitigate all of the risk doesn’t mean that I shouldn’t mitigate as much as I reasonably can.
My 3d printer is a fire hazard, but that’s no excuse for leaving a bunch of candles unattended.
Ah I missed the other comment, my client still had a cached view apparently. And definitely true regarding mitigation, your phrasing just read funny to me :)
I guarantee all off those have components from manufacturers that a government could pressure for a backdoor.
You are correct, and it doesn’t change my stance at all. It’s still worth it to mitigate risk even if you can’t mitigate all risk.
Like, the fact that my 3d printer is already a fire hazard does not justify leaving a bunch of candles unattended
I mean, most users here are browsing using a device with an AMD or Intel CPU, both with known backdoors. Not the first time a backdoor was found on American made hardware and it won’t be the last.
True, but the ESP32 is used by a lot of devices. This backdoor is pretty huge in scope of devices impacted.
It depends on what the method of attack is. I’m not seeing anything saying that it would be possible to exploit wirelessly, so this could easily be mostly a non-issue.
Jokes on them, I live in America when all that shit was already being done.
