cross-posted from: https://sopuli.xyz/post/23587111
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented “backdoor” that could be leveraged for attacks.
The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.
This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid.
I don’t think is is a backdoor. At the moment I wouldn’t consider this article any more than FUD.
It’s unclear to me if the security company has actually said what the vuln is or not, but if it’s what was presented in the slides linked in the article this is at worst something that can be “attacked” from a computer connected via USB (and I’m pretty sure it would also require special software already on the ESP32), where the attack is sending out possibly invalid bluetooth messages to try to attack other devices or flashing new firmware to the ESP itself. It’s not a general “backdoor” in the ESP32 itself. At least that’s the best interpretation I’ve been able to make. Happy to be corrected if anyone finds more info.
Holeeeee shiiiiet. Big news. Surprised it took this long to find. Attack vectors are minimal, but still post, so if this isn’t addressed, it’s a clear sign it was a CCP sponsored job.
From what I’ve read you need a physical usb connection to access this loophole.
Better call in Zero_Cool and Acid_Burn.
I don’t appreciate you referencing that movie in an unserious tone.
hack the planet!
Wasn’t it Crash Override and Acid Burn?
