Source Link Privacy.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.
Update: The ESP32 “backdoor” that wasn’t.
This isn’t a backdoor. Just a company trying to make a name for themselves by sensationalizing a much smaller discovery.
Seriously this. Every single IC which has digital logic contains some number of undocumented test commands used to ensure it meets all the required specifications during production. They’re not intended to be used for normal operation and almost never included in datasheets.
If anyone’s ever followed console emulator development, they know those undocumented commands are everywhere. There’s still people finding new ones for the N64 hardware
Edit: I should say undocumented behavior, not necessarily new commands
Fukin dmnit! I just spent the last several months fine tuning a PCB design supporting this platform. I have , what i believe to be my last iteration, being sent to fab now. I have to look i to this. My solution isnt using bluetooth, so i dont know if im vulnerable.
Its not a backdoor, you’re most likely fine.
The exploit requires physical access. It’s not exploitable in 99% of cases
Go for it. It’s a bullshit attention grab. No backdoor, just some undocumented vendor commands (which is the norm for virtually every chip out there).
I hate it when an attacker who already has root access to my device gets sightly more access to the firmware. Definitely spin up a website and a logo, maybe a post in Bloomberg.
The other day someone posted in Canada community that Canada should stop using Tesla cars and import Chinese cars. I replied saying, “That’s like replacing one evil with another.” I was downvoted by a lot of people. I should’ve expected it cuz a lot of people have short term memory.
A lot of people are dumb. Or maybe because they feel offended because they are Chinese, but the reality is that every Chinese company is ultimately controlled by the CCP. If I was fighting a cold war, I would do the same. Sell compromised devices to my trade partners (AKA enemies) so I have leverage when I need it.
Or maybe because they feel offended because they are Chinese
I’m Chinese-American and I’m not offended. The tankies from .ml are
the reality is that every Chinese company is ultimately controlled by the CCP.
Yes.
But in the same way that every US company is ultimately controlled by the US Government. And every EU company by them. And every other country by their own government.
“China bad” because western media says so. Please disregard the billions of dollars spent by western governments to ensure you keep thinking that way.
It’s just another capitalistic country no better or worse than Canada or the USA. Though, the Chinese government has said their intention is to move towards socialism, so good for them. I’m stuck over here witnessing fascist billionaires loot the government/working class.
Thats super interesting! Write a poem about three gorges dam please
Well, no, China is bad because freedom is very restricted there and because they have ambitions to dominate the world.
Yes, every other world power in the world is more or less the same. People cannot, in general, be trusted to be “good” when given the opportunity to abuse. A world power can be held in check by the presence and efforts of other world powers, though.
No, ‘China bad’ because many many examples of China bad. Such as the topic of this post.
The whole “you can’t criticize China because you’re from a country that also does bad things” is logically worthless. It’s the appeal to hypocrisy fallacy.
Not sure if you realize this but China is also ruled by a kleptocratic billionaire class that loots the working class even moreso than the US, so i’m not sure why you look up to them - China has more billionaires and a much larger wealth divide than the US. Actions speak louder than words and while Xi and the CCP often talk about cracking down on thier ultra-wealthy, they don’t really do much - couple billionaires might disappear occasionally though if they don’t praise the party line publically. One thing is for sure - I don’t see any elite CCP party members that are not also very wealthy. And it’s everyone else that’s propagandized 🤔
China is bad, because they too are a colonialism and imperialistic nation.
Just like the US and Russia.
Living conditions there continue to improve, while ours decline. A whole lot of boogie man bullshit. This article is intentionally fear mongering.
The CCP isn’t putting in a back door requiring on-site access in your litter box.
Because that’s not about privacy, that’s about the trade war. Retaliatory tariffs on US cars increase cost of cars for Canadians, as there are almost no car assembled in Canada. Reducing or eliminating tariffs on cars from China would lower cost of new cars for Canadians while keeping the tariffs up.
For privacy and security, not a single new car on the market is decent right now. That should be regulated, but that’s no concern for any politician at the moment.
Europe and its 50 car makers could also be considered instead of China…
Yes, but Canada had implemented 100% tariff on cars from China, following the US. That’s pre-trade war. The proposal is to lift that one.
CCP has backdoor into every tech that comes out of China. It’s not about just privacy. They control democracies based on shaping narratives. They’ll utilize everything that democracy offers and use it against countries. They don’t have freedom of speech or press so they themselves are not victims of it. EVs are really just computers on the road. Flooding the market with Chinese EVs would just mean creating a massive free network on a foreign soil for them.
Summary: China is not a friend country. It’s a hostile country. Yes, we know.
But the news is… so is the USA to Canada now. A hostile country threatening to annex Canada and trying to cripple the economy as a way to achieve the goal. So either we slap 100% tariffs on US made cars, which would hurt Canadians, or we apply the same tariffs on Chinese cars, so reduce them from where they are at the moment.
All cars are computers on the road at this point, not just EVs…
As opposed to the teslas with the back doors for the us government… but will be moot when Canada is part of the states anyway
Please update the title of this post to mention the update
How so?
You can edit post titles as well as content (even images!) on Lemmy.
Idk maybe specify that it was determined to not be a backdoor. Right now it reads as anti-china fear mongering.
Could be propaganda as well - why not scare the monkeys with the bad Chinese? Without ESPs the market is so much easier to control.
Note:I use both the ES8266ex and different ESP32s in my projects.
Thank you, I keep getting down voted because I said the same, but obviously other get it. Appreciate you and the sanity check!
welp, TL;DR from comments says its fear mongering at best, physical access required right?
Code execution required lmao
It allows the takeover of devices!
How?
By already having taken over the device.
Wtf is this reporting
Weird that they removed the reference to ESP32, one of the most common and widely known microcontrollers, from the headline.
It’s because the security company basically lied about this being a vulnerability, and probably opened themselves up to a lawsuit.
We really should be pushing for fully open source stack (firmware, os) in all iot devices. They are not very complicated so this should be entirely possible. Probably will need a EU law though.
I 100% believe firmware should be open source no question about it. There’s so many devices out there especially phones and iot devices that just become e-waste because you can’t do anything with it once it’s not supported if it was open source and documented in some way then it could be used. I have like five cheap phones that I got because they were so cheap but once they lost support they’ve become completely useless even though they still work.
But then big companies wouldn’t be able to keep milking the consumer via planned obsolescence. Won’t somebody think of the shareholders?
Open source stack will not prevent this. It’s not even a backdoor, it’s functionality that these researches think should be hidden from programmers for whatever reason.
Open source devices would have this functionality readily available for programmers. Look at rtl-sdr, using the words of these researches, it has a “backdoor” where a TV dongle may be used to listen to garage key fobs gasp everyone panic now!
Too much fanfare and too little real info shared to be of any value. Sounds more like an ad than infosec
One more reason to have actual open-source drivers instead of binary blobs…
Does anyone know where it is that we can find these new commands? I have an esp32 dev kit just a few feet away from me as i read this. It might be interesting to know what these new product “features” are.
Haha. I wear cheap Chinese bluetooth literally on my skull like 95% of the time, web when sleeping.
Hope they enjoy my thoughts.
Gotta blame China to get upvoted on Lemmy.
Or use a precise title. It’s not a backdoor or a “backdoor”.
Yeah, one of those is factually correct and got upvoted…
Not the first time a backdoor was found on Chinese made hardware and it won‘t be the last time. Decoupling can‘t happen quickly enough.
Which government’s backdoors would you prefer?
“We know you have a choice in oppressive governments, so we appreciate you choosing ours.”
None of them, that’s why the only things in my house that connect to the internet are my computers, game consoles, and cell phone
Assuming you’re not joking here, if your computers are any way modern they almost certainly have a backdoor.
Obviously, but I trust my Linux mint laptop a hell of a lot better than my aunt’s XIPPLG branded wifi cat feeder that she bought off Amazon
You probably shouldn’t, check out Intel management engine and AMD secure technology.
Not sure if joking or naive…
True, but the ESP32 is used by a lot of devices. This backdoor is pretty huge in scope of devices impacted.
It depends on what the method of attack is. I’m not seeing anything saying that it would be possible to exploit wirelessly, so this could easily be mostly a non-issue.
The Chinese adding back doors into their software/hardware.
Say it ain’t so!
It ain’t so.
To use the “backdoor” an attacker needs to have full access to the esp32 powered device already.
It’s like claiming that being able to leave your desk without locking your PC is a backdoor in your OS.
Yes, this is about undocumented instructions found in the silicon but they are not executable unless the ESP32’s firmware uses them. Firmware cannot be edited to use them unless you have an existing vulnerability such as physical access or insecure OTA in existing firmware (as far as researchers know).
It is good to question the “backdoor” allegations - maybe the instructions’ microcode was buggy and they didn’t want to release it.
Say it ain’t so
Your bug is a heartbleeder
Say it ain’t so
My NIC is a bytetakerLike a PRISM for China, is every powerful country just backdooring each other?
Thats hot.
tech backdoors are only okay when us good guys require em
Where did anyone say anything remotely like that?
I think it’s sarcasm mate.
I wouldnt be so sure about that. I’ve heard people say stuff that was mindbogglingly dumber than that, completely seriously.
it was in fact sarcasm
