Source Link Privacy.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.
Update: The ESP32 “backdoor” that wasn’t.
I read in another article that the identified 28 backdoor commands.
Is this some hardware flaw, or just something in their standard BT stack?
I love how the biggest problem with reddit was people not reading the article and asking in the comments instead.
Since you didn’t read, you can assume I did, so take what I’m about to say as factual, do not read the actual article yourself and make your own conclusion like a fucking adult:
It’s a flaw where attackers can manipulate the device’s internal clock to not only alter timestamps but also to send data packets into the past or future, effectively communicating with devices across different temporal planes.
By leveraging the chip’s quantum properties, malicious actors can entangle the Bluetooth signals of two separate devices, causing them to share data instantaneously without any direct connection.
The backdoor enables devices to phase in and out of different dimensions, allowing data to be stored in parallel universes, making retrieval nearly impossible for conventional security protocols.
Where in the article did it say that? Did you read the article?
Yes I indeed did read the article. It’s in the section regarding the sarcasm-ESP API
I was wondering the same thing. Wasn’t clear on whether these backdoors are there on purpose or because of mistakes
Too much fanfare and too little real info shared to be of any value. Sounds more like an ad than infosec
Exactly what it is. A gross example of company trying to get their name out their by sensationalizing their findings.
Seriously wtf did I just try to read? It sounded like AI slop.
I hate it when an attacker who already has root access to my device gets sightly more access to the firmware. Definitely spin up a website and a logo, maybe a post in Bloomberg.
Does anyone know where it is that we can find these new commands? I have an esp32 dev kit just a few feet away from me as i read this. It might be interesting to know what these new product “features” are.
Haha. I wear cheap Chinese bluetooth literally on my skull like 95% of the time, web when sleeping.
Hope they enjoy my thoughts.
welp, TL;DR from comments says its fear mongering at best, physical access required right?
Code execution required lmao
It allows the takeover of devices!
How?
By already having taken over the device.
Wtf is this reporting
Yeah one of my more… tech adventurous friends had the most insane series of security breaches (to out it mildly) potentially related to this and some other recent ridiculousness.
The other day someone posted in Canada community that Canada should stop using Tesla cars and import Chinese cars. I replied saying, “That’s like replacing one evil with another.” I was downvoted by a lot of people. I should’ve expected it cuz a lot of people have short term memory.
Everyone has short-term memory and long-term memory. You’re misunderstanding precisely what “short-term memory” refers to. Short-term memory is held for a short time before it’s converted to long-term memory. What you’re referring to is being short-sighted. As in people who don’t fully think about the long-term consequences of current actions. Said short-sighted people still have both short and long-term memory. They’re probably just a little dumb so they don’t fully utilize the memories stored long-term.
Jesus. Okay. So when you say, “being short sighted”, you don’t literally mean they have myopia. You mean it figuratively. Exactly like the person you are correcting clearly means it figuratively when they say “short-term memory”.
There’s been a lot of that lately. Same here in New Zealand.
You dipshits, they’re both the bad guys now.
A lot of people are dumb. Or maybe because they feel offended because they are Chinese, but the reality is that every Chinese company is ultimately controlled by the CCP. If I was fighting a cold war, I would do the same. Sell compromised devices to my trade partners (AKA enemies) so I have leverage when I need it.
Or maybe because they feel offended because they are Chinese
I’m Chinese-American and I’m not offended. The tankies from .ml are
the reality is that every Chinese company is ultimately controlled by the CCP.
Yes.
But in the same way that every US company is ultimately controlled by the US Government. And every EU company by them. And every other country by their own government.
Because that’s not about privacy, that’s about the trade war. Retaliatory tariffs on US cars increase cost of cars for Canadians, as there are almost no car assembled in Canada. Reducing or eliminating tariffs on cars from China would lower cost of new cars for Canadians while keeping the tariffs up.
For privacy and security, not a single new car on the market is decent right now. That should be regulated, but that’s no concern for any politician at the moment.
CCP has backdoor into every tech that comes out of China. It’s not about just privacy. They control democracies based on shaping narratives. They’ll utilize everything that democracy offers and use it against countries. They don’t have freedom of speech or press so they themselves are not victims of it. EVs are really just computers on the road. Flooding the market with Chinese EVs would just mean creating a massive free network on a foreign soil for them.
As opposed to the teslas with the back doors for the us government… but will be moot when Canada is part of the states anyway
Summary: China is not a friend country. It’s a hostile country. Yes, we know.
But the news is… so is the USA to Canada now. A hostile country threatening to annex Canada and trying to cripple the economy as a way to achieve the goal. So either we slap 100% tariffs on US made cars, which would hurt Canadians, or we apply the same tariffs on Chinese cars, so reduce them from where they are at the moment.
All cars are computers on the road at this point, not just EVs…
Europe and its 50 car makers could also be considered instead of China…
Yes, but Canada had implemented 100% tariff on cars from China, following the US. That’s pre-trade war. The proposal is to lift that one.
“China bad” because western media says so. Please disregard the billions of dollars spent by western governments to ensure you keep thinking that way.
It’s just another capitalistic country no better or worse than Canada or the USA. Though, the Chinese government has said their intention is to move towards socialism, so good for them. I’m stuck over here witnessing fascist billionaires loot the government/working class.
Thats super interesting! Write a poem about three gorges dam please
Well, no, China is bad because freedom is very restricted there and because they have ambitions to dominate the world.
Yes, every other world power in the world is more or less the same. People cannot, in general, be trusted to be “good” when given the opportunity to abuse. A world power can be held in check by the presence and efforts of other world powers, though.
China is bad, because they too are a colonialism and imperialistic nation.
Just like the US and Russia.
Living conditions there continue to improve, while ours decline. A whole lot of boogie man bullshit. This article is intentionally fear mongering.
The CCP isn’t putting in a back door requiring on-site access in your litter box.
No, ‘China bad’ because many many examples of China bad. Such as the topic of this post.
The whole “you can’t criticize China because you’re from a country that also does bad things” is logically worthless. It’s the appeal to hypocrisy fallacy.
Not sure if you realize this but China is also ruled by a kleptocratic billionaire class that loots the working class even moreso than the US, so i’m not sure why you look up to them - China has more billionaires and a much larger wealth divide than the US. Actions speak louder than words and while Xi and the CCP often talk about cracking down on thier ultra-wealthy, they don’t really do much - couple billionaires might disappear occasionally though if they don’t praise the party line publically. One thing is for sure - I don’t see any elite CCP party members that are not also very wealthy. And it’s everyone else that’s propagandized 🤔
You really think they intentionally left a back door requiring on-site serial access?
People act like traditional car manufacturers don’t exist anymore even though they all over EV options…
I have a bunch of ESP32’s that … I can update and replace the firmware on, if i reset it the right way with a usb cable. the web site doesn’t explain it any way how this is any worse than that…?
This can be done wirelessly, if the custom driver has been installed.
The website is also the guy trying to sell the solution so I’m just sceptical for now
At this point I welcome them to come through.
Come through with what though?
The Chinese adding back doors into their software/hardware.
Say it ain’t so!
tech backdoors are only okay when us good guys require em
How about all tech backdoors are bad and we should aim to use and make software and hardware that is ethically produced and usable without selling out your privacy and security?
China ain’t our friend but neither is our own regime, I don’t get the normies only caring about privacy and security when chinaman do the thing
Then they tuck their dicks because they nothing to hide when domestic spook is doing the same
pathetic and intellectually disingenuous
Where did anyone say anything remotely like that?
I think it’s sarcasm mate.
I wouldnt be so sure about that. I’ve heard people say stuff that was mindbogglingly dumber than that, completely seriously.
it was in fact sarcasm
Say it ain’t so
Your bug is a heartbleeder
Say it ain’t so
My NIC is a bytetakerLike a PRISM for China, is every powerful country just backdooring each other?
Thats hot.
It ain’t so.
To use the “backdoor” an attacker needs to have full access to the esp32 powered device already.
It’s like claiming that being able to leave your desk without locking your PC is a backdoor in your OS.
This isn’t a backdoor. Just a company trying to make name for themselves by sensationalizing a much smaller discovery.
Seriously this. Every single IC which has digital logic contains some number of undocumented test commands used to ensure it meets all the required specifications during production. They’re not intended to be used for normal operation and almost never included in datasheets.
If anyone’s ever followed console emulator development, they know those undocumented commands are everywhere. There’s still people finding new ones for the N64 hardware
Edit: I should say undocumented behavior, not necessarily new commands
The blob strikes again
Fukin dmnit! I just spent the last several months fine tuning a PCB design supporting this platform. I have , what i believe to be my last iteration, being sent to fab now. I have to look i to this. My solution isnt using bluetooth, so i dont know if im vulnerable.
The exploit requires physical access. It’s not exploitable in 99% of cases
Its not a backdoor, you’re most likely fine.
Go for it. It’s a bullshit attention grab. No backdoor, just some undocumented vendor commands (which is the norm for virtually every chip out there).
