Undocumented backdoor found in Bluetooth chip used by a billion devices
Undocumented backdoor found in Bluetooth chip used by a billion devices
So i think 29 undocumented commands are far too many for a mistake..
Maybe, maybe not. Keep in mind that opcodes are the lowest-level part of the programming stack. They're literally just integers transmitted on the system bus. So if you've got, for example, 35 operations that you're actually trying to implement, you need 2n ≥ 35 or n = 6 signal lines in your bus to transmit it. But since 26 = 64, that means it's possible to put another 29 values on that 6-bit bus, with completely undefined behavior unless you go out of your way to handle them in the instruction decoder (increasing the size and therefore cost of your silicon, which is very undesirable in an embedded chip that sells for less than $1).
It is not at all implausible for one of those undefined instructions to just happen to do something that an attacker would find useful, by sheer coincidence.
i gather that's why they're referring to the discovery as a 'backdoor'
why do you think both android and ios always trying to keep BT turned on?
step 1 Tracking and profilling step 2 selling data step 3 profit
Android and ios use completely different methods. For example, they listen to frequencies that are inaudible to us and, for example, TV advertising plays an inaudible sound as a trigger for Android/IOs in addition to the audible sound. To impose targeted advertising in order to allocate devices even without a network, etc. They wouldn't actually need backdoors as they get more than enough information as it is. But I don't want to imply that I don't expect backdoors there, because this has been proven in any case and often enough.
This is really bad as most cheap IOT devices using this chip will not receive an update all.
Would like to see a smartphone app testing this out via bluetooth so we could do some damage control at least and take them offline.
The 'S' in IOT stands for Secure
Am I misunderstanding the article? It seemed to imply remote intrusion required either Bluetooth proximity, or physical USB access.
Correct, but as bluetooth is possible over a certain range, "drive by attacks" might be possible.
The "attack" is from the host side, any remote attack is theoretical and would depend on exploiting the software on the host first to then gain access to the BT chip.
- Have IOT device
- It's not secure
How could this have happened???
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
Badass.
Well that's not good.
I am conflicted on the one hand its a great thing we know about the exploit. The problem is, now everyone knows about it, seems like they've documented exactly how to do it for anyone who didn't already know how...
That’s how it goes with all security vulnerabilities. IMHO sunlight is the best disinfectant for stuff like this. But yeah, it can cause some chaos.
Better to have it out in the open then being used by sneaky nefarious types without anyone else knowing imo
In comparison to the 20 documented ones
What devices use this chip? Has it been enumerated anywhere?
A lot of devices are based around the ESP8266 / ESP32 Here is a site with a very likely VERY incomplete list
In addition to what others have said, ESP32 is often used by hobbyists, like a more powerful Arduino. These devices are extremely versatile and cheap. I have several of these in my home automation and this is very bad news :(
There's a billion, gonna be a long list.. I'd do some research on your devices and see if any of them use the esp32