> Espressif will document all Vendor-specific HCI commands to ensure transparancy of what functionality is available at the HCI layer
I'm very glad they're going to be more transparent rather than try to lock things down more. I've been impressed with Espressif over the years and I'm glad they're continuing to impress.
It is a relative small company which is catering the DIY market. To build any substantial user base with industrial applications, I guess their way is to continue to be open and enable people to build DIY stuff and a tiny fraction of these will one day build products with ESP chips inside.
Well it was very clear from the beginning that these were a set of debug commands. A back door would probably have a door knocking semantics and a very limited apparent surface. These were direct memory reading and writing command and were available in a standardized protocol.
I would think the real issue was wether they were closed enough in real world design to avoid a security issue through debug means.
It was both, tbh. These commands would be usable in some attacks against a “trusted” esp32 implementation.
It’s something they probably should allow developers to disable but it’s also being WILDLY overstated by clout seekers.
You can, from some angles, call this a security flaw or issue. Anyone calling it a backdoor - a term with a specific meaning intentional secret access - is being irresponsible imho
The is a disconnect between the people who do actual work on the ground in the world and the internet.
People in the real world report things - people on the internet read 3 out of 4 of the words in the headline and screech hysterically and run around spouting prophecies about the end of the world.
It kind of was, but I’m happy that it happened because the way it was done (and still is with other vendors) is bad. This resolved that and in my most optimistic dreams other vendors would now follow.
There is a narrow set of circumstances where the previously undocumented commands could be exploited by malware running on a host machine or on compromised firmware. It’s kind of a nothing burger because compromise at this level is already pwned and the undocumented commands really don’t add much to that.
How you think always-open debug is NOT a security issue?
The blog post is a "nothing to see here". You really fell for it? Do we still do car analogies? Here's this car with just a ignition button without keys, and keys to your home in the glovebox and the address already on the GPS... but the thief would have to break into the car first!
Yet, a significant number of stock investors still suffer heavy losses because the market gets rattled by these exaggerated, attention-grabbing headlines. While the consensus here rightly labels this a non-issue—debug commands, not a backdoor, with no remote exploit possible—the sensationalism still has real-world impact. It’s frustrating to see how security hype, often just for internet clout or CVEs as pointed out, can overshadow Espressif’s solid response and transparency efforts, leaving retail investors to bear the brunt of the volatility.
At first I thought this smelled like a Targeted PR drive-by, leveraging the distrust of China to intensify anti-China sentiment for political traction. I’ve been quite cynical about this ever since I was exposed to shady PR companies and saw their list of offerings and prices…. But…
Nope. This looks like an irresponsible, hype seeking disclosure by a security firm trying to make a name for itself. Or maybe a really, really good PR firm and a PR savvy security firm, if I put my tinfoil hat on.
> Espressif will provide a fix that removes access to these HCI debug commands through a software patch for currently supported ESP-IDF versions
> Espressif will document all Vendor-specific HCI commands to ensure transparancy of what functionality is available at the HCI layer
This is great. While this practice may be common and it may not be considered a backdoor, undocumented functionality is definitely a risk. I’m glad that people didn’t just take it as “well that’s how it’s done” but instead are pushing for a better way.
First and foremost, I have no affiliation with any of the authors previously mentioned. However, I would like to pose a question to the community:
Is it feasible to exploit these undocumented HCI commands to develop malicious firmware for the ESP32? Such firmware could potentially be designed to respond to over-the-air (OTA) signals, activating these hidden commands to perform unauthorized actions like memory manipulation or device impersonation.
However, considering that deploying malicious firmware already implies a significant level of system compromise, how does this scenario differ from traditional malware attacks targeting x86 architectures to gain low-level access to servers?
Storm in a teacup. But it raises an interesting question. Why are
these HCI commands "undocumented"?
A phrase I hear around security nowadays is "Shadow API" [0, 1]
A shadow API is an undocumented one, and it tends to set-off massive
alarm bells.
The researchers were clearly too keen to make a splash, and that
reflects a sad state of wannabeism and hustling for crumbs these days.
What exacerbates it is proprietary software - stuff that's hidden,
obscured, opaque, deceptive, distributed as mysterious "blobs"....
this entire cluster of behaviour raises red flags and gets people
looking for things. And when we go looking for things that aren't
there ... we find them (assume the worst).
That is to say, the researchers are reacting emotionally (but with good
justification) to discovering undocumented features, aka a "shadow
API".
This could have been avoided if the device maker had just documented
them. Why didn't they?
One fairly common reason to not document something is not wanting to commit to supporting it or to keeping it around in future releases. Document it and customers will come to depend on it and then you might be stuck with it.
This is an absolute non-issue, as others have commented.
Even without domain-specific knowledge, we can see this is all nonsense: 'Allow attackers to carry out impersonation attacks' - the same thing that can be done with any number of legitimate and useful applications designed for developing with BLE, available on Android marketplace :*)
On any embedded platform which allows low level access to a radio transciever of any kind, it is possible to exercise all functionality, which will include various possible attacks. The only thing which prevents this in the industry at present is obfuscation, which most manufacturers (other than Espressif) dont bother with.
Take Nordic for example, who make probably the best and most widely used/respected BLE chipset: the full functionality of the transciever can be used via a relatively small set of registers, which are fully documented. Nordic supply a BLE stack, but you can perfectly well write your own instead, meaning that you can deliberately or accidentally abuse all aspects of the protocol.
Even at physical level, one can easily conduct simple jamming attacks, by broadcasting full power carrier signal on the BLE advertising channels.
None of this naughtiness is a security flaw. BLE and other wireless protocols in common use are well designed to be resistant to jamming, and the physical implementation of the radios on various SoCs available currently are limited: you cant put out 10 watts of hash over 82 channels at once, because the silicon doesnt support it.
You cant even 'sniff' BLE traffic in a real sense, because the silicon on requires a significant number of bytes of 'address' in order to capture any meaningful packet data from ambient noise.
Here is C code, as a fun example, to broadcast full power carrier on any channel, from Nordic NRF52. This is absolutely documented and useful for testing (for example emissions).
// set channel to number between 0 and 100
int channel = 0;
nrf_radio_shorts_set(0);
nrf_radio_int_disable(~0);
nrf_radio_event_clear(NRF_RADIO_EVENT_DISABLED);
nrf_radio_task_trigger(NRF_RADIO_TASK_DISABLE);
while (!nrf_radio_event_check(NRF_RADIO_EVENT_DISABLED)) {}
nrf_radio_event_clear(NRF_RADIO_EVENT_DISABLED);
tl;dr whichever system using an ESP32 as a bluetooth adapter may also just run arbitrary code on the ESP32 itself over the same interface. Commands have to be issued from the host system, not from the air.
This sounds like... a good feature? There are indeed some scenarios where doing so poses a security risk. But most of the time I do want to be able to run arbitrary code on e.g. my WiFi dongle when I'm in control. I know FCC is not a fan of this idea though.
I agree! Your system is already heavily compromised if this is a problem for you.
I think the real problem lies in a lack of visibility into the state of the device. A compromised dongle could easily be transferred between machines. What we need is to make obvious what the machine/device is doing.
Both HN discussion [1] and blogs [2] mentioned that it was a nothingburger.
tl;dr: there are undocumented debugging interfaces on the original ESP32 chip that can only be accessed by code running on the microcontroller or via another computer connected via the physical UART interface. No remote exploit possible. Espressif will now provide a patch to disable these debugging interfaces and document all yet-undocumented interfaces.
> The ESP32 series of chips support open-source NimBLE and Bluedroid as Bluetooth host stacks.
The undocumented commands in question (which implement the debug interface) are about to become documented, and Espressif was both transparent in their publication, and pledged for more transparency moving forward.
[+] [-] unsnap_biceps|1 year ago|reply
I'm very glad they're going to be more transparent rather than try to lock things down more. I've been impressed with Espressif over the years and I'm glad they're continuing to impress.
[+] [-] looofooo0|1 year ago|reply
[+] [-] roger_|1 year ago|reply
> Espressif will provide a fix that removes access to these HCI debug commands
Very annoying for researchers and tinkerers who would like to play with those commands.
[+] [-] sschueller|1 year ago|reply
I use the ESP32 in my product[1] I am glad they exist. Their per-certified modules save you quite a bit of money when you do your CE testing.
Espressif also offer free design review if you are using their chip in your commercial project/product[2].
[1] https://www.stationdisplay.com/
[2] https://www.espressif.com/en/contact-us/circuit-schematic-pc...
[+] [-] pjc50|1 year ago|reply
Which part of CE? One of the ETSI standards?
[+] [-] jxjdjd|1 year ago|reply
[+] [-] rswail|1 year ago|reply
[+] [-] nraynaud|1 year ago|reply
I would think the real issue was wether they were closed enough in real world design to avoid a security issue through debug means.
[+] [-] karlgkk|1 year ago|reply
It’s something they probably should allow developers to disable but it’s also being WILDLY overstated by clout seekers.
You can, from some angles, call this a security flaw or issue. Anyone calling it a backdoor - a term with a specific meaning intentional secret access - is being irresponsible imho
[+] [-] jpcosta|1 year ago|reply
[+] [-] blitzar|1 year ago|reply
People in the real world report things - people on the internet read 3 out of 4 of the words in the headline and screech hysterically and run around spouting prophecies about the end of the world.
I am a person on the internet.
[+] [-] solarkraft|1 year ago|reply
[+] [-] atoav|1 year ago|reply
And espressif should have closed that gap without external pressure.
[+] [-] K0balt|1 year ago|reply
What it doesn’t have is a backdoor.
[+] [-] 1oooqooq|1 year ago|reply
The blog post is a "nothing to see here". You really fell for it? Do we still do car analogies? Here's this car with just a ignition button without keys, and keys to your home in the glovebox and the address already on the GPS... but the thief would have to break into the car first!
[+] [-] dengjiuhong|1 year ago|reply
[+] [-] Lanolderen|1 year ago|reply
[+] [-] flanked-evergl|1 year ago|reply
[+] [-] IshKebab|1 year ago|reply
[+] [-] K0balt|1 year ago|reply
Nope. This looks like an irresponsible, hype seeking disclosure by a security firm trying to make a name for itself. Or maybe a really, really good PR firm and a PR savvy security firm, if I put my tinfoil hat on.
[+] [-] solarkraft|1 year ago|reply
> Espressif will document all Vendor-specific HCI commands to ensure transparancy of what functionality is available at the HCI layer
This is great. While this practice may be common and it may not be considered a backdoor, undocumented functionality is definitely a risk. I’m glad that people didn’t just take it as “well that’s how it’s done” but instead are pushing for a better way.
[+] [-] spaintech|1 year ago|reply
Is it feasible to exploit these undocumented HCI commands to develop malicious firmware for the ESP32? Such firmware could potentially be designed to respond to over-the-air (OTA) signals, activating these hidden commands to perform unauthorized actions like memory manipulation or device impersonation.
However, considering that deploying malicious firmware already implies a significant level of system compromise, how does this scenario differ from traditional malware attacks targeting x86 architectures to gain low-level access to servers?
[+] [-] blinkingled|1 year ago|reply
[+] [-] nonrandomstring|1 year ago|reply
A phrase I hear around security nowadays is "Shadow API" [0, 1]
A shadow API is an undocumented one, and it tends to set-off massive alarm bells.
The researchers were clearly too keen to make a splash, and that reflects a sad state of wannabeism and hustling for crumbs these days.
What exacerbates it is proprietary software - stuff that's hidden, obscured, opaque, deceptive, distributed as mysterious "blobs".... this entire cluster of behaviour raises red flags and gets people looking for things. And when we go looking for things that aren't there ... we find them (assume the worst).
That is to say, the researchers are reacting emotionally (but with good justification) to discovering undocumented features, aka a "shadow API".
This could have been avoided if the device maker had just documented them. Why didn't they?
[0] https://www.cybershow.uk/episodes.php?id=39
[1] https://www.cloudflare.com/learning/security/api/what-is-sha...
[+] [-] tzs|1 year ago|reply
[+] [-] londonembedded|1 year ago|reply
On any embedded platform which allows low level access to a radio transciever of any kind, it is possible to exercise all functionality, which will include various possible attacks. The only thing which prevents this in the industry at present is obfuscation, which most manufacturers (other than Espressif) dont bother with.
Take Nordic for example, who make probably the best and most widely used/respected BLE chipset: the full functionality of the transciever can be used via a relatively small set of registers, which are fully documented. Nordic supply a BLE stack, but you can perfectly well write your own instead, meaning that you can deliberately or accidentally abuse all aspects of the protocol. Even at physical level, one can easily conduct simple jamming attacks, by broadcasting full power carrier signal on the BLE advertising channels.
None of this naughtiness is a security flaw. BLE and other wireless protocols in common use are well designed to be resistant to jamming, and the physical implementation of the radios on various SoCs available currently are limited: you cant put out 10 watts of hash over 82 channels at once, because the silicon doesnt support it. You cant even 'sniff' BLE traffic in a real sense, because the silicon on requires a significant number of bytes of 'address' in order to capture any meaningful packet data from ambient noise.
Here is C code, as a fun example, to broadcast full power carrier on any channel, from Nordic NRF52. This is absolutely documented and useful for testing (for example emissions).
// set channel to number between 0 and 100 int channel = 0;
nrf_radio_shorts_set(0); nrf_radio_int_disable(~0); nrf_radio_event_clear(NRF_RADIO_EVENT_DISABLED); nrf_radio_task_trigger(NRF_RADIO_TASK_DISABLE); while (!nrf_radio_event_check(NRF_RADIO_EVENT_DISABLED)) {} nrf_radio_event_clear(NRF_RADIO_EVENT_DISABLED);
nrf_radio_mode_set(RADIO_MODE_MODE_Ble_LR500Kbit); nrf_radio_shorts_enable(NRF_RADIO_SHORT_READY_START_MASK); nrf_radio_txpower_set(0); nrf_radio_frequency_set(2400 + channel); nrf_radio_task_trigger(NRF_RADIO_TASK_TXEN);
[+] [-] rfoo|1 year ago|reply
This sounds like... a good feature? There are indeed some scenarios where doing so poses a security risk. But most of the time I do want to be able to run arbitrary code on e.g. my WiFi dongle when I'm in control. I know FCC is not a fan of this idea though.
[+] [-] Jochim|1 year ago|reply
I think the real problem lies in a lack of visibility into the state of the device. A compromised dongle could easily be transferred between machines. What we need is to make obvious what the machine/device is doing.
[+] [-] mrheosuper|1 year ago|reply
[+] [-] Jochim|1 year ago|reply
Undocumented backdoor found in Bluetooth chip used by a billion devices
https://news.ycombinator.com/item?id=43301369
[+] [-] ElectRabbit|1 year ago|reply
If an attacker can write raw data the HCI interface you are doomed anyway.
[+] [-] raphman|1 year ago|reply
Both HN discussion [1] and blogs [2] mentioned that it was a nothingburger.
tl;dr: there are undocumented debugging interfaces on the original ESP32 chip that can only be accessed by code running on the microcontroller or via another computer connected via the physical UART interface. No remote exploit possible. Espressif will now provide a patch to disable these debugging interfaces and document all yet-undocumented interfaces.
[1] https://news.ycombinator.com/item?id=43301369
[2] https://darkmentor.com/blog/esp32_non-backdoor/
[+] [-] vbezhenar|1 year ago|reply
[+] [-] rollcat|1 year ago|reply
> The ESP32 series of chips support open-source NimBLE and Bluedroid as Bluetooth host stacks.
The undocumented commands in question (which implement the debug interface) are about to become documented, and Espressif was both transparent in their publication, and pledged for more transparency moving forward.
How much more do you want?
[+] [-] ChrisRR|1 year ago|reply
[+] [-] MasterYoda|1 year ago|reply
[+] [-] thijson|1 year ago|reply
[+] [-] unknown|1 year ago|reply
[deleted]