this post was submitted on 08 Mar 2025
178 points (87.7% liked)

Privacy

35752 readers
561 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
178
Undocumented "backdoor" found in Bluetooth chip used by a billion devices (www.bleepingcomputer.com)
submitted 1 week ago* (last edited 1 week ago) by [email protected] to c/[email protected]
15 comments fedilink hide all child comments
 

Update: https://darkmentor.com/blog/esp32_non-backdoor/

top 15 comments
sorted by: hot top controversial new old
[–] [email protected] 25 points 1 week ago* (last edited 1 week ago) (1 children)

What is this article on about?

Here's the actual presentation: https://www.documentcloud.org/documents/25554812-2025-rootedcon-bluetoothtools/

I don't speak Spanish and only have the slides to go off of, but this doesn't sound like a "backdoor". ~~This sounds like they found the commands for regulatory testing. To do emissions testing you need to be able to make the device transmit on command so that your testing house can verify you're within legal limits on everything.~~

~~These are commands that can be given over USB. You know what else you can do over USB? Fucking anything, these chips have a JTAG USB device. (Now, if these are commands that can't be turned off, that would be kinda bad, I guess? But still not really a super big problem. And I don't see anything that implies that in the slides.)~~

[Edit: It's not even that this is a "backdoor" in an internal peripheral interface. I think the "backdoor" is if you have software that exposes that interface somehow? Like you're running an example that blindly copies stuff from an external UART to this interface? Like I think that's it?]

The tone I get from the slides is more "hey we found this cool tool for doing Bluetooth stuff that doesn't require writing embedded software". Which, cool. But that's sure not the point this article is trying to make.

[–] [email protected] 10 points 1 week ago (2 children)

The discoverers themselves refer to it as a backdoor, so frankly I don't know what you're on about accusing this article of misrepresenting their findings.

[–] [email protected] 8 points 1 week ago (1 children)

Huh, that is interesting. Though, that post doesn't seem to have any info about what the backdoor is either.

Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. [...] This discovery is part of the ongoing research carried out by the Innovation Department of Tarlogic on the Bluetooth standard. Thus, the company has also presented at RootedCON, the world’s largest Spanish-language cybersecurity conference, BluetoothUSB, a free tool that enables the development of tests for Bluetooth security audits regardless of the operating system of the devices. [Emphasis mine.]

Maybe the presentation has nothing to do with the actual backdoor?

Though, this part later might seem to imply they are related:

In the course of the investigation, a backdoor was discovered in the ESP32 chip, [...] Tarlogic has detected that ESP32 chips [...] have hidden commands not documented by the manufacturer. These commands would allow modifying the chips arbitrarily to unlock additional functionalities, [...].

Which, best I can work out, seems to be talking about the information on slide titled "COMANDOS OCULTOS" (page 39 / "41").

If the "backdoor" is the couple of commands in red on that slide, I maintain what I said above. If it's not talking about that and there's another "backdoor" that they haven't described yet, well, then ¯\_(ツ)_/¯ we'll see what it is when they actually announce it.

I fully acknowledge there may be something I'm missing. If there's a real vuln/backdoor here, I'm sure we'll hear more about it.

[–] [email protected] 4 points 1 week ago* (last edited 1 week ago) (1 children)

Maybe we can find out for sure through the magic of the fediverse...

@[email protected] Is the "backdoor" mentioned in https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/ about what you shared in your RootedCON talk? If so, how worried should people using devices containing ESP32s be?

[–] [email protected] 4 points 1 week ago

None. People that have physical access to you device can write malicious firmware. Which they can already do with physical access

It's an overblown nothing-burger. Calling it a backdoor is a security researcher juicing up some minor finding

[–] [email protected] 4 points 1 week ago (1 children)

Please correct if inaccurate, but I don't see in that article where the folks at Espressif refer to it as a backdoor, only the security company. This seems to me as though it is no more vulnerable than any other device which can be compromised by physical access, which is most of devices. The vulnerability really looks to be more in the ability to pivot to other devices remotely after one has been compromised physically, which isn't ideal, but still doesn't seem to me to be any less secure than most other devices.

[–] [email protected] 4 points 1 week ago

I mean, if it were a backdoor, the one thing you can be sure of is that the people who put it there wouldn't be calling it a backdoor, ever.

Though, I think it's worth pointing out that the while the security company's blog calls whatever it is a "backdoor", "backdoor" (nor "puerta" (though, I have no idea if that would be translated literally or to something else)) doesn't appear in the the slides. So I'm going to lay that one at the marketing people trying to drum it up into something more impressive than it really is.

[–] potatopotato 23 points 1 week ago

It's mostly a nothing burger. You basically need to have code already running on the chips. It's less of a backdoor and more of just an undocumented function. That may sound scary but it's rather common in production chips. In some ways it's a good thing, it means there are now more possibilities for messing with the chip and doing fun stuff with it.

[–] [email protected] 13 points 1 week ago (2 children)

TLDR:

They found debugging commands that can be used to access the memory of the device over USB. This is as much a backdoor as any device that runs unsigned firmware

Unless you store secret files on your Bluetooth dongle, you shouldn't have to worry about this.

[–] [email protected] 2 points 1 week ago

Thanks for the clarification because that headline sure is worrisome.

[–] [email protected] 2 points 1 week ago

It's not even over USB by default. It's an internal binary driver API. The USB part is a custom firmware for the ESP that exposes that api via USB that the people giving the talk wrote because it's useful for pentesting / development of exploits for other Bluetooth devices.

[–] [email protected] 9 points 1 week ago

https://www.espressif.com/en/news/Response_ESP32_Bluetooth

Espressif released a statement about it. It's basically a debug function for internal use. It can't actually do anything you couldn't do via other means, with that level of access.

[–] [email protected] 3 points 1 week ago

Billions of devices? Is this bluetooth chip made by the Java people?

[–] [email protected] 1 points 1 week ago* (last edited 1 week ago) (1 children)

Nothing new, never thought that Bluetooth is a safe connection, this is why I always use devices with cable (keyboard, mouse, headphones....). It's somewhat less comfortable as with Bluetooth, but way more safe and stable.

[–] [email protected] 4 points 1 week ago

Yes I always worry about people listening to my Bluetooth headphones.