This seems like a relatively critical issue considering the nature of ESP32.
Can this be used to “jailbreak” proprietary devices that use it?
It sounds like it’ll let you do arbitrary read/writes to memory, so probably yes?
Edit: so yeah, further reading into this and some video later from LowLevel confirmed that this is quite nothing burger. The “vulnerability” is an undocumented HCI command. Host to Controller Interface. Meaning that it is something the HOST (the ESP) dispatch to the Bluetooth Interface. To take advantage of such a command, you need to already have access to the ESP32 in the first place.
So, the tl;dr is that the “vulnerability” only matters when the attacker has access to the device already. Not really that big of an issue.
an attacker can gain access to the ESP32 not the device that connects to the ESP themselves. I don’t know how bluetooth pairing would behave when the device that once masquerade as a light switch now advertises themselves as smart watch. I presume it would require further confirmation from the user. If that is the case, then the danger is when ESP32 is used in a device that is already collecting sensitive information with an active bluetooth stack since that device can now be remotely hacked. But I will defer my judgement on this matter after the PoC has been demonstrated (can’t find any demo of any proof of concept attack, just the same article copy pasted multiple times on different site)Just another reason why the PI 2350 is a big deal.
There have been security holes in Espressif’s stack for years.
Why?
Because it doesn’t have any Bluetooth to be exploited?Seems the boards have an Infeneon modem on top. Is that any better?Because it is an open design with very few (if any) hidden aspects to it.
This podcast hypes it much better than I ever could:
Uh, it’s going to take me some time to listen to a 90min podcast. I hope they even talk about wifi and bluetooth. Usually that kind of code and intellectual property is a completely different story than your usual microcontroller design. Thx for the link.
No problem.
Trust me, it’s worth it. You’re probably right about the WiFi module. I don’t even remember them mentioning it, honestly.
It’s probably a closed, obfuscated module. Still, I stand by my initial assessment that I’d trust whatever they chose a hell of a lot more than a China-based company like Espressif.
I can’t wait for end to end open hardware but perhaps I’m a tad breathless over something that doesn’t apply to this article.
Am I correct that this would allow someone to remotely attack everything on my network, even non-ESP devices? So, my ESP lightbulb is putting my PC and phone at risk?
That’s sort of true of all exploits. It needs someone in Bluetooth range to hack the esp32 at which point the esp32 could become a jump point for anything. Mind you any bad app on your phone could also be used to attack your PC. But if something is in Bluetooth range, they could just attempt to attack your phone/PC directly.
Technology is so fun… Thanks for putting this in perspective!
