Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake.
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023
From the person I’m replying to …
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
Don’t see how that would matter much. The “scope of the vulnerability” is sufficiently large enough that it should not be partially or otherwise discredited as a risk.
If someone owns a Bluetooth device, then its fair to think that at some point they’d actually use it, being vulnerable to the backdoor access. That’s billions of uses right there, on a regular basis.
From the article …
The researchers warned that ESP32 is one of the world’s most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk of any backdoor in them is significant.
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
From the article …
From the person I’m replying to …
Don’t see how that would matter much. The “scope of the vulnerability” is sufficiently large enough that it should not be partially or otherwise discredited as a risk.
If someone owns a Bluetooth device, then its fair to think that at some point they’d actually use it, being vulnerable to the backdoor access. That’s billions of uses right there, on a regular basis.
From the article …
This comment is licensed under CC BY-NC-SA 4.0
It’s a reasonable question. There are countless devices using esp32 chips which do not use the Bluetooth parts of the chip at all.