Gotta blame China to get upvoted on Lemmy.
Someone correct me if i’m wrong, but it looks like it’s not the big deal the original blog post makes it out to be.
To issue those undocumented HCI commands one either needs to hijack a computer/soc/mcu that is connected to an esp32 with HCI UART transport enabled or put malicious software on the esp itself.
The mac spoofing might be interesting for people building hacking tools, however.
Yeah, this is hyped for clicks. This requires the target device to already be paired and requires privileged access on the local system to install the custom driver. NVD rates the exploitability of CVE-2025-27840 as 0.3 out of 10.
The ESP32 chip is used in tons of devices. The scope of this is really broad.
HeartBleed level.
No way they’re on the same level. Heartbleed allowed for remote memory reads. This requires you to have access to change the firmware and just gives you some more APIs to control the WiFi system and possibly bypass firmware verification.
No way they’re on the same level. Heartbleed allowed for remote memory reads.
I professionally studied HeartBleed as a security researcher and wrote a peer reviewed opinion piece which was published. I won’t say where or the title because it would give you my full name, so deal with it. Not trying to humble-brag, just trying to say, I’ve done the research myself here.
HeartBleed was an oversight which sent out enabled by default (!) a TLS heartbeat read overrun error in OpenSSL v1.0.1 to 1.0.2-beta which allowed any third party with an internet connection the ability to request information, 64kb at a time, stored in an affected servers memory. Anything. Private keys, encryption keys, TLS private keys (imagine SSL verified MITM attacks), decrypted sensitive files (which are HDD encrypted and decrypted in memory), passwords, anything.
All’s you had to do was know how to request the information, and the server you wanted to attack. It went undiscovered for a number of months before it was found. The extension was enabled by default, and came bundled with software used on literally billions of private computing devices, servers, IoT devices, and even interstitial devices used over network connection.
Here’s an excerpt from some other security researchers on the subject, in case you don’t want to take my word for it;
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. 1
You’re correct that they’re not on the same level, but completely backwards in thinking that an undocumented bluetooth backdoor is worse than the worst vulnerability found since the invention of the internet. HeartBleed affected hundreds of millions of critical servers. Literally billions of devices in total. How many consumer devices do you think have this exact bluetooth chip? 10,000? 100,000? 10 million? Still small peanuts in comparison.
but completely backwards in thinking that an undocumented bluetooth backdoor is worse than the worst vulnerability found since the invention of the internet
Right HeartBleed was way worse than this, not on the same level. I wasn’t claiming the opposite.
I was responding to the comment that appeared to suggest they were on the same level.
Yeah, looks like I was gonna respond to the other guy too, but ended up rolling both replies into the same post for some reason. lol oops.
The first part of my post is just backing up what you had said, and the second half was for the guy you were also replying to, to point out how crazy he was.
How many consumer devices do you think have this exact bluetooth chip?
Hundreds of millions. They’re used in an almost uncountable number of IoT devices. It’s entirely possible that there’s a handful of 'em, or more, in your house. Absolutely anything “smart” that uses WiFi or Bluetooth could have one including sprinkler controllers, door locks, lightbulbs, appliances both large and small, garage door openers, and remote controlled power plugs.
Espressif has sold a huge number of ESP32 chips. This isn’t some uncommon no-name manufacturer or chip. It’s used at scale and has been for years.
That you aren’t personally aware of it only means that you have a blind spot.
Hundreds of millions. They’re used in an almost uncountable number of IoT devices.
It’s only this specific chip that is affected. It’s not all bluetooth chips. The article doesn’t even specify which of their tens of chips is affected; ESP32-D0WD-V3, ESP32-D0WDR2-V3, ESP32-U4WDH, ESP32-PICO-V3, ESP32-PICO-V3-02, or the ESP32-PICO-D4.
Even if it were all of them, and even if it were hundreds of millions of devices it would still pale in comparison to HeartBleed in all aspects. It’s an interesting but sophisticated attack vector which severely limits its usage. But lets say you execute a MITM attack from one of these ESP32 chips. What are you feasibly able to do? A MITM attack? Considering these are all low power devices its extremely unlikely that they would be able to output enough power to overtake your home AP. Without doing more research on it, the actual attack surface is opaque. I mean, I guess a guy in China can remotely turn on your sprinklers or get your WiFi password… Lot of good that’s gonna do him from China.
Can someone explain how to know if my devices have this chip, what risks it exposes me to, and what, if anything, I should do to protect myself?
You can use an online tool to look up the Bluetooth [1] or Wifi [2] MAC of the device. If it’s espressive you’ve got one of their chips. That doesn’t guerantee that it’s not one of the others they make. You can also open up the device and look for the esp32. They almost always look the same with their metal can ontop.
The risk has been estimated as 0.3 out of 10
Don’t worry about it.
[1] https://ipnet.tools/bluetooth-device-address-lookup-tool [2] https://ipnet.tools/mac-lookup-tool
Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake.
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
From the article …
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023
From the person I’m replying to …
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
Don’t see how that would matter much. The “scope of the vulnerability” is sufficiently large enough that it should not be partially or otherwise discredited as a risk.
If someone owns a Bluetooth device, then its fair to think that at some point they’d actually use it, being vulnerable to the backdoor access. That’s billions of uses right there, on a regular basis.
From the article …
The researchers warned that ESP32 is one of the world’s most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk of any backdoor in them is significant.
It’s a reasonable question. There are countless devices using esp32 chips which do not use the Bluetooth parts of the chip at all.
At rough count I have 16 of those buggers. Appliances, switches, load meters, lights, etc. If I look harder, I’d probably find more. Yikes!
While I have a few ESP32 in my collection, I am now happy that I chose a different platform for my project.
I wonder what people will say in Nürnberg next week at Embedded World.
Computers are what we’d get if Epimetheus stole something from the gods for us instead
