Backdoor detected in ESP32 Espressif IoT chip(www.tarlogic.com)
24 pointsby NKosmatos17 hours ago7 comments
  • loufe16 hours ago
    Dupe: https://news.ycombinator.com/item?id=43301369
    • NKosmatos16 hours ago
      My bad, I forgot to search for the additional URL before posting. Searching by ESP32 and Espressif didn’t bring any similar results, hence the dupe. It would be great if there was an automatic pre-check before we post something ;-)
  • jasonjayr17 hours ago
    Does this allow device owners to recover or replace the firmware in abandoned/EOLed (by the vendor) IoT devices?

    If that's true, then maybe this is a good thing?

    • laurowyn16 hours ago
      It's absolutely a good thing, and arguably not a security issue at all.

      It needs access to the command interface of the chip, which means you need to either have physical access to the device or compromise whatever is physically connected to the device.

      It's practically like calling a read/write filesystem a security issue. Yes, an attacker can write to disk and persist there, and they can overwrite files, etc. But there needs to be a flaw that allows access to that behaviour first, else it's just a part of the interface.

      And in this instance, it's a part of the debug interface of the chip. And practically makes it a perfect candidate for future bluetooth security tools, similar to the Atheros chipsets used for WiFi sniffing. Now we can do bluetooth impersonation attacks for $2 instead of hundreds.

      Betting there'll be some good bluetooth research in the near future, showing all sorts of devices are vulnerable to attacks using $2 hardware. That's the real security problem here.

    • unsnap_biceps16 hours ago
      esp devices are generally super easy to replace the firmware on. I have PetLibro Water Fountains that use a weight sensor powered by a esp32. I opened the base, attached three wires to the uart output on the processor, flashed esphome firmware and loaded it into home assistant, completely cloud free monitoring.

      The undocumented instructions isn't a backdoor at all, it requires you to have local access or have already taken control over the firmware via another bug. The only thing that people going nuts over a "backdoor" will do is cause espressif to close up their interfaces, which would make it harder in the future to repurpose the hardware.

  • iamjackg17 hours ago
    Great. Time to replace half my home automation devices! This is not entirely unexpected, regardless of whether it was intentional or not, but it still hurts. Although I guess it means it might be easier to take control of existing devices without having to open them up and connect to the GPIOs.

    I wonder if this is patchable at all?

    • sigmoid1016 hours ago
      This is not a remote exploit. It's not even a backdoor. It's just a bunch of undocumented interface commands that allow access to things like memory. To exploit any of this you need an attacker have physical access or get to run privileged software on the device. In both cases you'd already be totally screwed anyway. This is a clickbait nothingburger and that's the reason why it was presented at a random local conference. An actual backdoor that infects billions of wireless devices would have easily earned you a top presenter spot at a highly prestigious conference.
      • iamjackg15 hours ago
        You're right! It looks like I misunderstood the report and the "hidden opcodes" are only accessible to the ESP32 itself, not to connected devices? The article is somewhat confusingly worded.
  • Hizonner15 hours ago
    Sounds like it isn't a big deal, but even if it were a big deal, I still think it'd be important to mention that THAT LINK IS ABSOLUTE HOT GARBAGE. We don't need links to content-free marketing press releases on here.
  • devit16 hours ago
    It's bullshit according to previous discussion on HN (https://news.ycombinator.com/item?id=43301369).

    Just a bunch of undocumented hardware registers/commands, no remotely accessible backdoor.

  • stefan_16 hours ago
    Previous: https://news.ycombinator.com/item?id=43301369

    This is not a remote exploit. It's arguably not even an exploit or backdoor at all, which is why this PR article is full of "democratized security" slop.