Re: undocumented backdoor found in ESP32

John McCue <jmccue@qball.jmcunx.com> wrote:

In comp.misc Salvador Mirzo <smirzo@example.com> wrote:

Undocumented "backdoor" found in Bluetooth chip used by a billion devices
Bill Toulas March 8, 2025 11:12 AM
 
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif
and used by over 1 billion units as of 2023 contains an undocumented
"backdoor" that could be leveraged for attacks.

 
Looks like there is more than meets the eye:
 
This refutes the claim that researchers found a "backdoor"
https://darkmentor.com/blog/esp32_non-backdoor/

Yes it's an odd definition of backdoor where the attacker must
already have full control over the device via the HCI commands
which are how bluetooth controllers are controlled by a host
system. The "backdoor" is that the host system can give the
bluetooth controller some extra debugging commands, but security
over the device's behavior has already been lost by the time an
attacker is able to send standard HCI commands anyway.

Also the "C-based USB Bluetooth driver" by Tarlogic, which sounds
like a cross-platform equivalent for what you can do on Linux with
Wireshark, is beside the point because they found the undocumented
HCI commands by reverse engineering the ESP32 ROM downloaded from
GitHub, not by looking at USB communications. That seems to be just
an ad for their product.

This does demonstrate the case for open-source firmware on such
devices as Bluetooth controllers, which would allow these details
to be discovered without someone needing an incentive to invest in
reverse-engineering the binary ROMs. It's a better ad for
open-source firmware than for Tarlogic's USB Bluetooth driver.
Except that nobody(?) does open-source Bluetooth controller
firmwares to begin with.

--
__          __
#_ < |\| |< _#