this post was submitted on 08 Mar 2025

1029 points (92.8% liked)

Technology

66362 readers

4957 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related content.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

[email protected]

1029

Undocumented Commands Found In Bluetooth Chip Manufactured in China Used By a Billion Devices. (www.tarlogic.com)

submitted 6 days ago* (last edited 5 days ago) by [email protected] to c/[email protected]

193 comments fedilink hide all child comments

Source Link Privacy.

https://themarkup.org/blacklight?url=https%3A%2F%2Fwww.tarlogic.com%2Fnews%2Fbackdoor-esp32-chip-infect-ot-devices%2F&device=mobile&location=us-ca&force=false

Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.

Update: The ESP32 "backdoor" that wasn't.

(page 4) 47 comments

sorted by: hot top controversial new old

[–] [email protected] 25 points 5 days ago (13 children)

The Chinese adding back doors into their software/hardware.

Say it ain't so!

[–] [email protected] 23 points 5 days ago

Say it ain't so
Your bug is a heartbleeder
Say it ain't so
My NIC is a bytetaker

load more comments (12 replies)

[–] [email protected] 2 points 5 days ago

So, what is the probability of it affecting a lot of people?

[+] [email protected] -7 points 5 days ago* (last edited 5 days ago) (3 children)

The ESP32 chip, developed by Espressif Systems, is widely used in various IoT (Internet of Things), embedded systems, and consumer electronics due to its low power consumption, built-in Wi-Fi & Bluetooth, and high processing capability.

Devices That Use the ESP32 Chip

Development Boards & Microcontrollers

ESP32 DevKit series (official Espressif boards)

M5Stack and M5Stick series

Adafruit HUZZAH32

SparkFun ESP32 Thing

LilyGO T-Series (T-Display, T-SIM, T-Watch, etc.)

WEMOS Lolin D32/D32 Pro

Smart Home & IoT Devices

Sonoff Smart Switches and Plugs (e.g., Sonoff Mini R3, Sonoff S31)

Shelly Smart Relays (e.g., Shelly 1, Shelly 2.5)

Tuya-Based Smart Devices (many smart home products use Tuya firmware on ESP32)

Air quality monitors (e.g., AirGradient open-source air sensors)

IoT Sensor Hubs (various DIY and commercial solutions)

Wearables & Portable Devices

TTGO T-Watch (ESP32-based smartwatch)

Heltec WiFi Kit Series (LoRa-enabled IoT devices)

Fitness trackers (some DIY and prototype models)

Robotics & DIY Electronics

ESP32-CAM (ESP32-based camera module)

DIY drones & robots (used in hobbyist and educational robotics)

3D Printer controllers (e.g., ESP32-based Klipper controllers)

Industrial & Commercial Products

ESP32-based vending machines (wireless payment systems)

Smart irrigation controllers

Energy monitoring devices (e.g., OpenEnergyMonitor)

Smart locks & security systems

Audio & Multimedia Devices

ESP32-based web radios

DIY Bluetooth speakers

Smart light controllers with voice assistants

Why Is ESP32 Popular?

✔ Low-cost & powerful (dual-core, Wi-Fi, Bluetooth) ✔ Great for DIY & commercial IoT applications ✔ Strong developer community & open-source support ✔ Compatible with Arduino, MicroPython, ESP-IDF, etc.

load more comments (3 replies)

[–] [email protected] 2 points 6 days ago

The blob strikes again

[–] [email protected] 1 points 6 days ago

Hey look china got caught putting backdoors in hardware AGAIN

[–] [email protected] 3 points 6 days ago (2 children)

Yeah one of my more… tech adventurous friends had the most insane series of security breaches (to out it mildly) potentially related to this and some other recent ridiculousness.

load more comments (2 replies)

[–] [email protected] 6 points 6 days ago (2 children)

I have a bunch of ESP32's that ... I can update and replace the firmware on, if i reset it the right way with a usb cable. the web site doesn't explain it any way how this is any worse than that...?

load more comments (2 replies)

[–] [email protected] 85 points 6 days ago (2 children)

Too much fanfare and too little real info shared to be of any value. Sounds more like an ad than infosec

load more comments (2 replies)

[–] [email protected] 21 points 6 days ago

One more reason to have actual open-source drivers instead of binary blobs..

[–] [email protected] 9 points 6 days ago (2 children)

Is this some hardware flaw, or just something in their standard BT stack?

load more comments (1 replies)

[–] [email protected] 201 points 6 days ago (1 children)

Well... Shit.

There are so, so, so, many ESP32's in not just my house, but practically everyone I know.

There outta be fines for this BS.

[–] [email protected] 163 points 6 days ago (4 children)

You're fine. This isn't something that can be exploited over wifi. You literally need physical access to the device to exploit it as it's commands over USB that allow flashing the chip.

This is a security firm making everything sound scary because they want you to buy their testing device.

[+] [email protected] -10 points 5 days ago (2 children)

Wrong. Read the analysis. It is a BT vulnerability. One can probably design a cheap attack system that just sends a erase flash command to any BT device in reach, instantly bricking every BT enabled ESP32 device.

[–] [email protected] 19 points 5 days ago

Just reread it and no, it's not a BT vulnerability. The "erase flash" command is something that has to be done by software running outside the BT stack. You can even see that inside the slides. The UsbBluetooth software is connected to the device with the flawed bluetooth chipset.

The vulnerability is that if you have this chipset and compromised software, someone can flash the chipset with compromised flash. They even say that it's not an easy attack to pull off in the article.

In general, though, physical access to the device's USB or UART interface would be far riskier and a more realistic attack scenario.

In otherwords, the attack is something that can only be pulled off if there's also a security vulnerability within other parts of the hardware stack.

[–] [email protected] 2 points 5 days ago

Yeah, that's not the main concern.

[–] [email protected] 72 points 6 days ago (3 children)

You literally need physical access to the device to exploit it

You don't need physical access. Read the article. The researcher used physical USB to discover that the Bluetooth firmware has backdoors. It doesn't require physical access to exploit.

It's Bluetooth that's vulnerable.

https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/

[–] [email protected] 76 points 5 days ago (1 children)

I just re-read the article and yes, you still need physical access.

The exploit is one that bypasses OS protections to writing to the firmware. In otherwords, you need to get the device to run a malicious piece of code or exploit a vulnerability in already running code that also interacts with the bluetooth stack.

The exploit, explicitly, is not one that can be carried out with a drive-by Bluetooth connection. You also need faulty software running on the device.

[–] [email protected] 18 points 5 days ago (4 children)

"Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections."

I of course don't know details but I'm basing my post on that sentence. "Backdoor may be possible via ... rogue Bluetooth connections."

load more comments (4 replies)

[–] [email protected] 31 points 5 days ago

Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections.

I really wish these articles just tell us what these scenarios are. I understand companies need publicity or need to sell software but if it isn't replicatable and the article says "might be possible" it kind of sounds like a secuity sales pitch.

This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access.

This part basically sounds more like a software issue where the attacker has a way in already. The system is already vulernable at this point before using the exploit found.

I don't think there's enough information out yet.

It is very interesting though.

load more comments (1 replies)

[–] [email protected] 7 points 6 days ago (2 children)

In that case, how long til some open source project uses it to make a custom firmware to bypass the manufacturer bs and integrate my cheap IoTs seamlessly into Home assistant?

[–] [email protected] 10 points 6 days ago (1 children)

You can already reflash a lot of devices for this purpose. And you could use esp-home to customise once reflashed

[–] [email protected] 4 points 6 days ago (3 children)

Really? Where can I find this

[–] [email protected] 2 points 5 days ago

Tasmota is another option if they have your specific device in their list. Otherwise you have to do some debugging to figure out what gpio or i2c address to use.

[–] [email protected] 3 points 6 days ago* (last edited 6 days ago) (2 children)

Heres the top google link i found: https://randomnerdtutorials.com/how-to-flash-a-custom-firmware-to-sonoff/

Esp-home is available as a HA addin, docs here: https://esphome.io/

[–] [email protected] 1 points 6 days ago* (last edited 6 days ago)

Esp-home also works with the older esp-01 - it was released as a wifi module so there are only two gpio’s, but thats enough for a lot of home automation stuff.

Here’s one i have connected to HA, where HA uses rest-api to capture some data from a game called tacticus, and it shows my available tokes for guild raid and arena

[–] [email protected] 2 points 6 days ago

Thanks

[–] [email protected] 2 points 6 days ago

https://esphome.io/

[–] [email protected] 3 points 6 days ago

I think we are basically already there with ESPs :D.

[–] [email protected] 14 points 6 days ago (1 children)

I do have a few outside. Probably not the best security-wise. Haha. Those are the first to get patched when one comes out.

[–] [email protected] 33 points 6 days ago (1 children)

Security wise, unless you are being specifically targeted by someone, you are almost certainly fine. And if you are being specifically targeted, I think someone hacking your ESPs is the least of your worries. A malicious attacker that knows your physical location can do a lot more scary things than just spying through ESPs.

[–] [email protected] 4 points 5 days ago (2 children)

Just wait until a jester creates a software that sends an erase flash backdoor command to any BT device it sees.

load more comments (2 replies)

[–] [email protected] 43 points 6 days ago (4 children)

I’d like to know if this is just a firmware update or unfixable, but sadly this seems just an ad rather than news

[–] [email protected] 6 points 5 days ago

It is not easy to determine how fixable this is. IIRC, the ESP32 has the wireless stack hidden from user space, and I am not sure if it is a blob included during link time, or if it is stored in a ROM of the chip. I do have the chips and the development enviroment in my studio, but (luckily) I decided to use a different chip for my project.

But I know there is a load of systems using either the ESP32 as their main processor, or as an auxiliary processor to add WiFi or BT capabilities, so this really is a big oh shit moment.

[–] [email protected] 28 points 6 days ago* (last edited 6 days ago) (3 children)

Here’s an article with a bit more detail… but I’m still unclear whether these backdoor commands are hardware circuits or firmware logic.

Bleeping Computer: Undocumented "backdoor" found in Bluetooth chip used by a billion devices

[–] [email protected] 5 points 5 days ago

Solid article. I imagine the folks at the cyberwire podcast will be doing more digging over the weekend for a solid summary come Monday.

load more comments (1 replies)

[–] [email protected] 11 points 6 days ago

Even if it were fixable, it would be up to manufacturers to push updates. I doubt any really care enough.

load more comments (1 replies)

[–] [email protected] 19 points 6 days ago (3 children)

Not the first time a backdoor was found on Chinese made hardware and it won‘t be the last time. Decoupling can‘t happen quickly enough.

[–] [email protected] 7 points 6 days ago

I mean, most users here are browsing using a device with an AMD or Intel CPU, both with known backdoors. Not the first time a backdoor was found on American made hardware and it won't be the last.

[–] [email protected] 17 points 6 days ago (1 children)

Which government's backdoors would you prefer?

"We know you have a choice in oppressive governments, so we appreciate you choosing ours."

[–] [email protected] 12 points 6 days ago (6 children)

None of them, that's why the only things in my house that connect to the internet are my computers, game consoles, and cell phone

[–] [email protected] 4 points 6 days ago (3 children)

Assuming you're not joking here, if your computers are any way modern they almost certainly have a backdoor.

[–] [email protected] 11 points 5 days ago* (last edited 5 days ago) (2 children)

Obviously, but I trust my Linux mint laptop a hell of a lot better than my aunt's XIPPLG branded wifi cat feeder that she bought off Amazon

load more comments (2 replies)

load more comments (5 replies)

[–] [email protected] 17 points 6 days ago (1 children)

True, but the ESP32 is used by a lot of devices. This backdoor is pretty huge in scope of devices impacted.

[–] [email protected] 4 points 5 days ago

It depends on what the method of attack is. I'm not seeing anything saying that it would be possible to exploit wirelessly, so this could easily be mostly a non-issue.

load more comments