作者: TH30 時間: 2025-3-9 23:59 標題: 西班牙資安公司發現中國藍牙晶片ESP32藏有硬體後門指令
(譯文) 中國藍牙晶片 ESP32 被發現藏有硬體後門指令,該晶片因其超低價格被全球超過十億個物聯網設備使用。 此一漏洞由西班牙資安公司 Tarlogic Security 的研究人員所發現,並於昨日在馬德里舉行的 RootedCON 安全會議上公諸於世
作者: TH30 時間: 2025-3-10 00:02
https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/
Undocumented commands found in Bluetooth chip used by a billion devices
By Bill Toulas
March 8, 2025 11:12 AM
Update 3/9/25: After receiving concerns about the use of the term 'backdoor' to refer to these undocumented commands, we have updated our title and story. Our original story can be found here.
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.
The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.
This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid.
"Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer.
"Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls."
The researchers warned that ESP32 is one of the world's most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant.
In their RootedCON presentation, the Tarlogic researchers explained that interest in Bluetooth security research has waned but not because the protocol or its implementation has become more secure.
Instead, most attacks presented last year didn't have working tools, didn't work with generic hardware, and used outdated/unmaintained tools largely incompatible with modern systems.
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
作者: chue 時間: 2025-3-10 00:44
成本問題多
作者: jacktsui 時間: 2025-3-10 09:36
而家明目張膽到用埋hardware, 實體証據都比埋你
作者: antlee 時間: 2025-3-10 13:24
文章提及嘅CVE entry有相關文章
https://nvd.nist.gov/vuln/detail/CVE-2025-27840
發現者(Tarlogic)嘅文章 update咗做“hidden feature”
https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/
03/09/2025 Update:
We would like to clarify that it is more appropriate to refer to the presence of proprietary HCI commands—which allow operations such as reading and modifying memory in the ESP32 controller—as a “hidden feature” rather than a “backdoor.”
The use of these commands could facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks. Over the coming weeks, we will publish further technical details on this matter.
https://www.flyingpenguin.com/?p=67838
呢篇文認為該指令未至於backdoor而屬於"undocumented extensions of the standard interface" (BlueTooth HCI protocol , vendor-specific HCI commands) 文章認為屬於 testing/debugging functions
即係話要出事的話嗰個ESP32 device 個firmware要有其他漏洞先得
#2篇文 最後部份
The risks arising from these commands include malicious implementations on the OEM level and supply chain attacks.
Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the commands might be possible via malicious firmware or rogue Bluetooth connections.
This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access.
In general, though, physical access to the device's USB or UART interface would be far riskier and a more realistic attack scenario.
"In a context where you can compromise an IOT device with as ESP32 you will be able to hide an APT inside the ESP memory and perform Bluetooth (or Wi-Fi) attacks against other devices, while controlling the device over Wi-Fi/Bluetooth," explained the researchers to BleepingComputer.
"Our findings would allow to fully take control over the ESP32 chips and to gain persistence in the chip via commands that allow for RAM and Flash modification."
"Also, with persistence in the chip, it may be possible to spread to other devices because the ESP32 allows for the execution of advanced Bluetooth attacks."
唔熟embedded programming(Audrino),不過要睇個Bluetooth stack/個別firmware有無白痴到直接門户大開而已
ESP32 https://en.wikipedia.org/wiki/ESP32
前輩ESP8266 https://en.wikipedia.org/wiki/ESP8266
作者: wunit 時間: 2025-3-10 14:26
成本問題多
chue 發表於 2025-3-10 00:44
係咪用來做initial pairing果D功能....
好多IoT野都用D奇奇怪怪的方式做initial connection setup
佢地真係plaintext咁飛黎飛去....
所以IoT野一定要間開個zone比佢地.....
作者: VV 時間: 2025-3-13 14:19
出返個中文版先
ESP32 晶片驚爆安全漏洞?官方澄清:為內部除錯指令、無遠端存取風險
作者: KING008 時間: 2025-3-13 17:14
你又有 他都有
作者: icefire 時間: 2025-3-14 01:13
為左可以開個CVE ticket交差可以去到幾盡
作者: cyberx131 時間: 2025-3-15 17:49
世界就係甘`....你一係俾中國偷窺你...吾係俾美國中出...世界永遠無安全
