Re: undocumented backdoor found in ESP32

Path	csiph.com!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail
From	Salvador Mirzo <smirzo@example.com>
Newsgroups	comp.misc
Subject	Re: undocumented backdoor found in ESP32
Date	Mon, 10 Mar 2025 03:30:04 -0300
Organization	A noiseless patient Spider
Lines	53
Message-ID	<87plip4cur.fsf@example.com> (permalink)
References	<87ldtf9hmw.fsf@example.com> <vqkcla$q1ta$1@dont-email.me> <67ce09c2@news.ausics.net>
MIME-Version	1.0
Content-Type	text/plain
Injection-Date	Mon, 10 Mar 2025 07:30:05 +0100 (CET)
Injection-Info	dont-email.me; posting-host="9c2e35490968fbc58cd4552438a0fd57"; logging-data="1269805"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+q623hSOMhJ72BzifbBHuzy/vP8Z8Wih8="
Cancel-Lock	sha1:Egk+PhbE7/2rAU1GxyDwF32KBM0= sha1:SoRAc/TG+x/pdEihijRna8CweAI=
Xref	csiph.com comp.misc:26859

Show key headers only | View raw

not@telling.you.invalid (Computer Nerd Kev) writes:

> John McCue <jmccue@qball.jmcunx.com> wrote:
>> In comp.misc Salvador Mirzo <smirzo@example.com> wrote:
>>> Undocumented "backdoor" found in Bluetooth chip used by a billion devices
>>> Bill Toulas March 8, 2025 11:12 AM
>>> 
>>> The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif
>>> and used by over 1 billion units as of 2023 contains an undocumented
>>> "backdoor" that could be leveraged for attacks.
>> 
>> Looks like there is more than meets the eye:
>> 
>> This refutes the claim that researchers found a "backdoor"
>> https://darkmentor.com/blog/esp32_non-backdoor/
>
> Yes it's an odd definition of backdoor where the attacker must
> already have full control over the device via the HCI commands
> which are how bluetooth controllers are controlled by a host
> system. The "backdoor" is that the host system can give the
> bluetooth controller some extra debugging commands, but security
> over the device's behavior has already been lost by the time an
> attacker is able to send standard HCI commands anyway.

Thanks for this explanation.  Apologies if I bought into misinformation
here.  Nevertheless, I think the report is healthy---the very post at
darkmentor.com answers ``it depends'' when they ask whether it's a
security vulnerability.

I think the healthiest thing from hardware vendors is to document
*everything*, although they have the right to reserve whatever they want
for future changes, say.  (Even if this doesn't work well in practice
for the hardware vendors themselves; my perspective here is merely
security.)

> Also the "C-based USB Bluetooth driver" by Tarlogic, which sounds
> like a cross-platform equivalent for what you can do on Linux with
> Wireshark, is beside the point because they found the undocumented
> HCI commands by reverse engineering the ESP32 ROM downloaded from
> GitHub, not by looking at USB communications. That seems to be just
> an ad for their product.

It could be.  Well observed.

> This does demonstrate the case for open-source firmware on such
> devices as Bluetooth controllers, which would allow these details
> to be discovered without someone needing an incentive to invest in
> reverse-engineering the binary ROMs. It's a better ad for
> open-source firmware than for Tarlogic's USB Bluetooth driver.
> Except that nobody(?) does open-source Bluetooth controller
> firmwares to begin with.

Totally agreed.

Back to comp.misc | Previous | Next — Previous in thread | Next in thread | Find similar

Thread

undocumented backdoor found in ESP32 Salvador Mirzo <smirzo@example.com> - 2025-03-08 21:23 -0300
  Re: undocumented backdoor found in ESP32 John McCue <jmccue@qball.jmcunx.com> - 2025-03-09 15:38 +0000
    Re: undocumented backdoor found in ESP32 not@telling.you.invalid (Computer Nerd Kev) - 2025-03-10 07:36 +1000
      Re: undocumented backdoor found in ESP32 Salvador Mirzo <smirzo@example.com> - 2025-03-10 03:30 -0300
    Re: undocumented backdoor found in ESP32 D <nospam@example.net> - 2025-03-09 22:37 +0100

csiph-web