Path: csiph.com!eternal-september.org!feeder3.eternal-september.org!news.eternal-september.org!eternal-september.org!.POSTED!not-for-mail From: Salvador Mirzo Newsgroups: comp.misc Subject: Re: undocumented backdoor found in ESP32 Date: Mon, 10 Mar 2025 03:30:04 -0300 Organization: A noiseless patient Spider Lines: 53 Message-ID: <87plip4cur.fsf@example.com> References: <87ldtf9hmw.fsf@example.com> <67ce09c2@news.ausics.net> MIME-Version: 1.0 Content-Type: text/plain Injection-Date: Mon, 10 Mar 2025 07:30:05 +0100 (CET) Injection-Info: dont-email.me; posting-host="9c2e35490968fbc58cd4552438a0fd57"; logging-data="1269805"; mail-complaints-to="abuse@eternal-september.org"; posting-account="U2FsdGVkX1+q623hSOMhJ72BzifbBHuzy/vP8Z8Wih8=" Cancel-Lock: sha1:Egk+PhbE7/2rAU1GxyDwF32KBM0= sha1:SoRAc/TG+x/pdEihijRna8CweAI= Xref: csiph.com comp.misc:26859 not@telling.you.invalid (Computer Nerd Kev) writes: > John McCue wrote: >> In comp.misc Salvador Mirzo wrote: >>> Undocumented "backdoor" found in Bluetooth chip used by a billion devices >>> Bill Toulas March 8, 2025 11:12 AM >>> >>> The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif >>> and used by over 1 billion units as of 2023 contains an undocumented >>> "backdoor" that could be leveraged for attacks. >> >> Looks like there is more than meets the eye: >> >> This refutes the claim that researchers found a "backdoor" >> https://darkmentor.com/blog/esp32_non-backdoor/ > > Yes it's an odd definition of backdoor where the attacker must > already have full control over the device via the HCI commands > which are how bluetooth controllers are controlled by a host > system. The "backdoor" is that the host system can give the > bluetooth controller some extra debugging commands, but security > over the device's behavior has already been lost by the time an > attacker is able to send standard HCI commands anyway. Thanks for this explanation. Apologies if I bought into misinformation here. Nevertheless, I think the report is healthy---the very post at darkmentor.com answers ``it depends'' when they ask whether it's a security vulnerability. I think the healthiest thing from hardware vendors is to document *everything*, although they have the right to reserve whatever they want for future changes, say. (Even if this doesn't work well in practice for the hardware vendors themselves; my perspective here is merely security.) > Also the "C-based USB Bluetooth driver" by Tarlogic, which sounds > like a cross-platform equivalent for what you can do on Linux with > Wireshark, is beside the point because they found the undocumented > HCI commands by reverse engineering the ESP32 ROM downloaded from > GitHub, not by looking at USB communications. That seems to be just > an ad for their product. It could be. Well observed. > This does demonstrate the case for open-source firmware on such > devices as Bluetooth controllers, which would allow these details > to be discovered without someone needing an incentive to invest in > reverse-engineering the binary ROMs. It's a better ad for > open-source firmware than for Tarlogic's USB Bluetooth driver. > Except that nobody(?) does open-source Bluetooth controller > firmwares to begin with. Totally agreed.