The ESP32 chip is used in tons of devices. The scope of this is really broad.
Undocumented "backdoor" found in Bluetooth chip used by a billion devices
Submitted 2 months ago by excel24@feddit.org to technology@lemmy.world
Comments
randompasta@lemmy.today 2 months ago
Xanza@lemm.ee 2 months ago
HeartBleed level.
chaospatterns@lemmy.world 2 months ago
No way they’re on the same level. Heartbleed allowed for remote memory reads. This requires you to have access to change the firmware.
dzso@lemmy.world 2 months ago
Can someone explain how to know if my devices have this chip, what risks it exposes me to, and what, if anything, I should do to protect myself?
tal@lemmy.today 2 months ago
Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake.
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
CosmicCleric@lemmy.world 2 months ago
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
Don’t see how that would matter much. The “scope of the vulnerability” is sufficiently large enough that it should not be partially or otherwise discredited as a risk.
If someone owns a Bluetooth device, then its fair to think that at some point they’d actually use it, being vulnerable to the backdoor access. That’s billions of uses right there, on a regular basis.
~This~ ~comment~ ~is~ ~licensed~ ~under~ ~CC~ ~BY-NC-SA~ ~4.0~
rezifon@lemmy.world 2 months ago
It’s a reasonable question. There are countless devices using esp32 chips which do not use the Bluetooth parts of the chip at all.
technocrit@lemmy.dbzer0.com 2 months ago
Treczoks@lemmy.world 2 months ago
While I have a few ESP32 in my collection, I am now happy that I chose a different platform for my project.
I wonder what people will say in Nürnberg next week at Embedded World.
Gradually_Adjusting@lemmy.world 2 months ago
Computers are what we’d get if Epimetheus stole something from the gods for us instead
Dekkia@this.doesnotcut.it 2 months ago
Someone correct me if i’m wrong, but it looks like it’s not the big deal the original blog post makes it out to be.
To issue those undocumented HCI commands one either needs to hijack a computer/soc/mcu that is connected to an esp32 with HCI UART transport enabled or put malicious software on the esp itself.
The mac spoofing might be interesting for people building hacking tool, however.
catloaf@lemm.ee 2 months ago
Yeah, this is hyped for clicks. This requires the target device to already be paired and requires privileged access on the local system to install the custom driver. NVD rates the exploitability of CVE-2025-27840 as 0.3 out of 10.