by iamflimflam1 on 3/11/25, 8:21 AM with 90 comments
by unsnap_biceps on 3/11/25, 8:39 AM
I'm very glad they're going to be more transparent rather than try to lock things down more. I've been impressed with Espressif over the years and I'm glad they're continuing to impress.
by sschueller on 3/11/25, 8:55 AM
I use the ESP32 in my product[1] I am glad they exist. Their per-certified modules save you quite a bit of money when you do your CE testing.
Espressif also offer free design review if you are using their chip in your commercial project/product[2].
[1] https://www.stationdisplay.com/
[2] https://www.espressif.com/en/contact-us/circuit-schematic-pc...
by rswail on 3/11/25, 8:40 AM
by dengjiuhong on 3/11/25, 9:38 AM
by solarkraft on 3/11/25, 11:13 AM
> Espressif will document all Vendor-specific HCI commands to ensure transparancy of what functionality is available at the HCI layer
This is great. While this practice may be common and it may not be considered a backdoor, undocumented functionality is definitely a risk. I’m glad that people didn’t just take it as “well that’s how it’s done” but instead are pushing for a better way.
by spaintech on 3/11/25, 9:14 AM
Is it feasible to exploit these undocumented HCI commands to develop malicious firmware for the ESP32? Such firmware could potentially be designed to respond to over-the-air (OTA) signals, activating these hidden commands to perform unauthorized actions like memory manipulation or device impersonation.
However, considering that deploying malicious firmware already implies a significant level of system compromise, how does this scenario differ from traditional malware attacks targeting x86 architectures to gain low-level access to servers?
by blinkingled on 3/11/25, 10:32 AM
by nonrandomstring on 3/11/25, 9:53 AM
A phrase I hear around security nowadays is "Shadow API" [0, 1]
A shadow API is an undocumented one, and it tends to set-off massive alarm bells.
The researchers were clearly too keen to make a splash, and that reflects a sad state of wannabeism and hustling for crumbs these days.
What exacerbates it is proprietary software - stuff that's hidden, obscured, opaque, deceptive, distributed as mysterious "blobs".... this entire cluster of behaviour raises red flags and gets people looking for things. And when we go looking for things that aren't there ... we find them (assume the worst).
That is to say, the researchers are reacting emotionally (but with good justification) to discovering undocumented features, aka a "shadow API".
This could have been avoided if the device maker had just documented them. Why didn't they?
[0] https://www.cybershow.uk/episodes.php?id=39
[1] https://www.cloudflare.com/learning/security/api/what-is-sha...
by londonembedded on 3/11/25, 10:00 AM
On any embedded platform which allows low level access to a radio transciever of any kind, it is possible to exercise all functionality, which will include various possible attacks. The only thing which prevents this in the industry at present is obfuscation, which most manufacturers (other than Espressif) dont bother with.
Take Nordic for example, who make probably the best and most widely used/respected BLE chipset: the full functionality of the transciever can be used via a relatively small set of registers, which are fully documented. Nordic supply a BLE stack, but you can perfectly well write your own instead, meaning that you can deliberately or accidentally abuse all aspects of the protocol. Even at physical level, one can easily conduct simple jamming attacks, by broadcasting full power carrier signal on the BLE advertising channels.
None of this naughtiness is a security flaw. BLE and other wireless protocols in common use are well designed to be resistant to jamming, and the physical implementation of the radios on various SoCs available currently are limited: you cant put out 10 watts of hash over 82 channels at once, because the silicon doesnt support it. You cant even 'sniff' BLE traffic in a real sense, because the silicon on requires a significant number of bytes of 'address' in order to capture any meaningful packet data from ambient noise.
Here is C code, as a fun example, to broadcast full power carrier on any channel, from Nordic NRF52. This is absolutely documented and useful for testing (for example emissions).
// set channel to number between 0 and 100 int channel = 0;
nrf_radio_shorts_set(0); nrf_radio_int_disable(~0); nrf_radio_event_clear(NRF_RADIO_EVENT_DISABLED); nrf_radio_task_trigger(NRF_RADIO_TASK_DISABLE); while (!nrf_radio_event_check(NRF_RADIO_EVENT_DISABLED)) {} nrf_radio_event_clear(NRF_RADIO_EVENT_DISABLED);
nrf_radio_mode_set(RADIO_MODE_MODE_Ble_LR500Kbit); nrf_radio_shorts_enable(NRF_RADIO_SHORT_READY_START_MASK); nrf_radio_txpower_set(0); nrf_radio_frequency_set(2400 + channel); nrf_radio_task_trigger(NRF_RADIO_TASK_TXEN);
by rfoo on 3/11/25, 8:38 AM
This sounds like... a good feature? There are indeed some scenarios where doing so poses a security risk. But most of the time I do want to be able to run arbitrary code on e.g. my WiFi dongle when I'm in control. I know FCC is not a fan of this idea though.
by Jochim on 3/11/25, 8:46 AM
Undocumented backdoor found in Bluetooth chip used by a billion devices
by raphman on 3/11/25, 8:49 AM
Both HN discussion [1] and blogs [2] mentioned that it was a nothingburger.
tl;dr: there are undocumented debugging interfaces on the original ESP32 chip that can only be accessed by code running on the microcontroller or via another computer connected via the physical UART interface. No remote exploit possible. Espressif will now provide a patch to disable these debugging interfaces and document all yet-undocumented interfaces.
by vbezhenar on 3/11/25, 10:10 AM
by MasterYoda on 3/11/25, 6:46 PM