I have 100% always thought that the cheap Wi-Fi / Bluetooth ESP chip line was nothing more than a Chinese government operation to globally distribute a network world war 3 attack vector… but like everyone else I was too lazy to care. Someone cared.
12 Likes
I think I only have two esp32 devices online. A Meshtastic device and a wled module.
I’m mobile ATM, is there a patch or no?
2 Likes
It doesn’t look like it because the commands are built into the silicon? I think?
4 Likes
Fun.
I have a bunch of iot device likely using them
Just another either nothing happens, or it’s a world shattering thing to add to the pile
2 Likes
If China feels the need to increase the volume on my TV, I will likely be thankful. Outside of that, they will be wasting their time at my place!
1 Like
Well, one device would give them access to your network… And a node of a botnet… Do you really think that this was about your TV?
It was about having access to everything at all times…
3 Likes
My IoT is all on a seperate network, in fact on several. I have 5 levels of trust and cheap aliexpress products are on the bottom. So they can control the Bluetooth transmitter to the TV. That is about it.
However you make a valid point that not everyone does this.
I also think there is a lot of security in obscurity here. Assuming this is a govt hack in the event of something sinister happening, I am a nobody and any foreign operator sneaking around my systems is really tying up their time. On that note I am going to hit the Govt up for defence funding; clearly I am a security asset 
4 Likes
This seems to be a lot of noise about not much. The “backdoor” commands have to be sent from the microcontroller to the bluetooth stack, it doesn’t seem to be exploitable over the air. It might cause some issues in very specific applications, but in general if you are in a position to misuse the commands, you probably already have full control over the device anyway.
Given that the commands would be useful for debugging and are using the prefix specifically set aside for vendors to implement proprietary commands, this seems less like a massive government conspiracy and more like someone stumbling over some engineering tools.
4 Likes
More info and a bit more nuanced analysis:
- Undocumented commands tear security hole in ESP32 Bluetooth | heise online
- https://x.com/i/web/status/1898442439704158276
Apparently the HCI protocol which is used by the main ESP32 core to communicate with its (integrated) Bluetooth modem has some undocumented additional functionality. This can not be used remotely, but can be used to do shenanigans IIF you already have your malicious code running on the main chip.
Still pretty sus, but apparently an industry standard practice among Bluetooth chip designers.
4 Likes
no need to throw your devices in the trash (journalists, on the other hand …)
2 Likes
Espressif publishes their Bluetooth ROM blobs here: GitHub - espressif/esp-rom-elfs: Espressif ROM binaries . These are compiled into the flash image via the Espressif SDK (IDF) together with the user code, so you can update the Bluetooth ROMs by pushing an updated and recompiled software to the chips.
2 Likes
Riddle me this . Wize code/hardware gurus. Is my talos door locked fucked now? Uses esp32-
c3
1 Like
Not really… I took the sensationalist bait 
6 Likes
No. You will be fine. I suspect if the Chinese Govt wants to get into your home, they will simlpy kick in the door.
It looks like you have to have physical access to the chip to do anything.
3 Likes