Undocumented backdoor found in Bluetooth chip used by a billion devices
Read More
0 items
-
$0.00
0
Undocumented backdoor found in Bluetooth chip used by a billion devices
Read More
Be the first to know the latest updates
Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.
17 Comments
rurban
Their slides in Spanish: https://www.documentcloud.org/documents/25554812-2025-rooted…
asdfologist
Someone on Reddit suspected this 3 years ago.
https://www.reddit.com/r/embedded/comments/wopjw8/how_sure_a…
millerm
Funny that I just pulled out an ESP32 dev kit a couple days ago and I honestly questioned myself with "how do you even know these things are secure at all?" Glad I know the answer now.
I'm starting to miss the days of being disconnected more and more as time goes on. This constant churn of having to monitor and lockdown everything you own down is becoming a complete negative.
ceejayoz
The next world war seems like it’ll be about five minutes long. Nukes won’t be required to send us back to the Stone Age.
noodlesUK
EDIT: My Spanish isn't very good, but reading the slides it doesn't sound like the vulnerability is likely to be remotely exploitable, it sounds like it's only an issue if the chip is in HCI mode and being used as a bluetooth adapter. If someone who speaks Spanish could confirm I would be very appreciative.
Palomides
I'm confused, is it that the bluetooth stack has a few undocumented commands? if these are only accessible to the code already running on the device, I'm not sure I would call it a backdoor
realitysballs
Is this vuln. fixable via firmware or is the vulnerability inherent in the chip architecture?
iracigt
I think the title is a bit misleading. If I'm reading correctly, the "backdoor" allows a computer to peek and poke memory and other low-level functions of its own USB Bluetooth adapter. I don't this this is usable over the air?
Undocumented debugging commands like this are common. I've worked with at least two chips, a WiFi adapter and a GPS receiver, that had similar functions. Neither was documented, but found by reverse engineering the chip firmware or vendor drivers. It's not exactly an impactful issue on its own. Anything that allows unsigned firmware is equally vulnerable.
If I'm misunderstanding and this is usable from anything other than the host, that would be a very different story.
RicoElectrico
FWIW almost nobody uses ESP32 for Bluetooth alone. This is primarily a Wi-Fi SoC. "Billion devices" is a ridiculous claim if most of them don't use BT features anyway.
Retr0id
It's unclear to me what a practical vulnerability/attack scenario would look like here.
lima
The researchers found undocumented hardware functionality which allows someone who already has code execution a greater-than-expected degree of low-level access to the ESP32 wifi stack.
Calling this a "backdoor" is just pure clickbait.
mmastrac
In theory you probably should have low-level access to your attached BT radio itself, so this is just kind of expected, isn't it?
I prefer when devices have these low-level interfaces. Perhaps the problem is the lack of documentation rather than existence?
I used to use the memory read/write commands via USB on Qualcomm radios to unlock and otherwise take ownership of otherwise locked-down devices. Given that was a full OOB read/write I'd consider that maybe not great, but if this is only accessible from flashed code all the better.
almosthere
Anyone want to start a Faraday cage laptop case company
fsflover
Again, the hardware kill switch in my Librem 5 looks like a necessary feature.
roger_
I hate sensational stories like this. Now Espressif is gonna feel pressured to be even more closed.
Aurornis
TL;DR: They reverse engineered the firmware and found HCI commands to do things like read/write memory, send packets, and set the MAC address.
Not really a backdoor. I don't know if they called it a backdoor (presentation is in Spanish), or if the journalists are calling it a backdoor to get more clicks.
You'd need to have arbitrary access to send HCI commands to the device to use these commands. That means you're already controlling the device and how it operates. This isn't something that gets remotely exploited over the wireless link. Any exploits would already have to have full control of the device, at which point being able to change the MAC address or send packets isn't really a surprise anyway.
Interesting research, but really groan-inducing to see it spun as a "backdoor". I don't know who's to blame for the wording, though. I'm guessing the journalists?
EDIT: For an analogy that might be more familiar, imagine if someone discovered that the Ethernet controller on a common IOT chip could change its MAC address or send arbitrary packets if the firmware told it to. This is the same thing, but with Bluetooth.
ddtaylor
No plausible attack described for a reason.