Source Link Privacy.

Privacy test result

https://themarkup.org/blacklight?url=https%3A%2F%2Fwww.tarlogic.com%2Fnews%2Fbackdoor-esp32-chip-infect-ot-devices%2F&device=mobile&location=us-ca&force=false

Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.

Update: The ESP32 “backdoor” that wasn’t.

  • priapus@sh.itjust.works
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    7 days ago

    This isn’t a backdoor. Just a company trying to make a name for themselves by sensationalizing a much smaller discovery.

    • COASTER1921@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 days ago

      Seriously this. Every single IC which has digital logic contains some number of undocumented test commands used to ensure it meets all the required specifications during production. They’re not intended to be used for normal operation and almost never included in datasheets.

      • xthexder@l.sw0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        8 days ago

        If anyone’s ever followed console emulator development, they know those undocumented commands are everywhere. There’s still people finding new ones for the N64 hardware

        Edit: I should say undocumented behavior, not necessarily new commands

  • Thrawne@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 days ago

    Fukin dmnit! I just spent the last several months fine tuning a PCB design supporting this platform. I have , what i believe to be my last iteration, being sent to fab now. I have to look i to this. My solution isnt using bluetooth, so i dont know if im vulnerable.

  • ycnz@lemmy.nz
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    I hate it when an attacker who already has root access to my device gets sightly more access to the firmware. Definitely spin up a website and a logo, maybe a post in Bloomberg.

  • NightCrawlerProMax@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    The other day someone posted in Canada community that Canada should stop using Tesla cars and import Chinese cars. I replied saying, “That’s like replacing one evil with another.” I was downvoted by a lot of people. I should’ve expected it cuz a lot of people have short term memory.

    • Montreal_Metro@lemmy.ca
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      9 days ago

      A lot of people are dumb. Or maybe because they feel offended because they are Chinese, but the reality is that every Chinese company is ultimately controlled by the CCP. If I was fighting a cold war, I would do the same. Sell compromised devices to my trade partners (AKA enemies) so I have leverage when I need it.

      • DigitalDilemma@lemmy.ml
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 days ago

        the reality is that every Chinese company is ultimately controlled by the CCP.

        Yes.

        But in the same way that every US company is ultimately controlled by the US Government. And every EU company by them. And every other country by their own government.

    • Subdivide6857@midwest.social
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 days ago

      “China bad” because western media says so. Please disregard the billions of dollars spent by western governments to ensure you keep thinking that way.

      It’s just another capitalistic country no better or worse than Canada or the USA. Though, the Chinese government has said their intention is to move towards socialism, so good for them. I’m stuck over here witnessing fascist billionaires loot the government/working class.

      • NoSpotOfGround@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 days ago

        Well, no, China is bad because freedom is very restricted there and because they have ambitions to dominate the world.

        Yes, every other world power in the world is more or less the same. People cannot, in general, be trusted to be “good” when given the opportunity to abuse. A world power can be held in check by the presence and efforts of other world powers, though.

      • pulsewidth@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        8 days ago

        No, ‘China bad’ because many many examples of China bad. Such as the topic of this post.

        The whole “you can’t criticize China because you’re from a country that also does bad things” is logically worthless. It’s the appeal to hypocrisy fallacy.

        Not sure if you realize this but China is also ruled by a kleptocratic billionaire class that loots the working class even moreso than the US, so i’m not sure why you look up to them - China has more billionaires and a much larger wealth divide than the US. Actions speak louder than words and while Xi and the CCP often talk about cracking down on thier ultra-wealthy, they don’t really do much - couple billionaires might disappear occasionally though if they don’t praise the party line publically. One thing is for sure - I don’t see any elite CCP party members that are not also very wealthy. And it’s everyone else that’s propagandized 🤔

      • ubergeek@lemmy.today
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        China is bad, because they too are a colonialism and imperialistic nation.

        Just like the US and Russia.

        • Subdivide6857@midwest.social
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          Living conditions there continue to improve, while ours decline. A whole lot of boogie man bullshit. This article is intentionally fear mongering.

          The CCP isn’t putting in a back door requiring on-site access in your litter box.

    • matlag@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 days ago

      Because that’s not about privacy, that’s about the trade war. Retaliatory tariffs on US cars increase cost of cars for Canadians, as there are almost no car assembled in Canada. Reducing or eliminating tariffs on cars from China would lower cost of new cars for Canadians while keeping the tariffs up.

      For privacy and security, not a single new car on the market is decent right now. That should be regulated, but that’s no concern for any politician at the moment.

        • matlag@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          Yes, but Canada had implemented 100% tariff on cars from China, following the US. That’s pre-trade war. The proposal is to lift that one.

      • NightCrawlerProMax@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 days ago

        CCP has backdoor into every tech that comes out of China. It’s not about just privacy. They control democracies based on shaping narratives. They’ll utilize everything that democracy offers and use it against countries. They don’t have freedom of speech or press so they themselves are not victims of it. EVs are really just computers on the road. Flooding the market with Chinese EVs would just mean creating a massive free network on a foreign soil for them.

        • matlag@sh.itjust.works
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          Summary: China is not a friend country. It’s a hostile country. Yes, we know.

          But the news is… so is the USA to Canada now. A hostile country threatening to annex Canada and trying to cripple the economy as a way to achieve the goal. So either we slap 100% tariffs on US made cars, which would hurt Canadians, or we apply the same tariffs on Chinese cars, so reduce them from where they are at the moment.

        • freely1333@reddthat.com
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          As opposed to the teslas with the back doors for the us government… but will be moot when Canada is part of the states anyway

      • Rexios@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        Idk maybe specify that it was determined to not be a backdoor. Right now it reads as anti-china fear mongering.

        • Oisteink@feddit.nl
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          Could be propaganda as well - why not scare the monkeys with the bad Chinese? Without ESPs the market is so much easier to control.

          Note:I use both the ES8266ex and different ESP32s in my projects.

        • fuamerikkka@lemm.ee
          link
          fedilink
          English
          arrow-up
          0
          ·
          7 days ago

          Thank you, I keep getting down voted because I said the same, but obviously other get it. Appreciate you and the sanity check!

      • Zron@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        7 days ago

        It allows the takeover of devices!

        How?

        By already having taken over the device.

        Wtf is this reporting

  • Jerkface (any/all)@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 days ago

    Weird that they removed the reference to ESP32, one of the most common and widely known microcontrollers, from the headline.

    • AlexWIWA@lemmy.ml
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 days ago

      It’s because the security company basically lied about this being a vulnerability, and probably opened themselves up to a lawsuit.

  • notanapple@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    We really should be pushing for fully open source stack (firmware, os) in all iot devices. They are not very complicated so this should be entirely possible. Probably will need a EU law though.

    • secret300@lemmy.sdf.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 days ago

      I 100% believe firmware should be open source no question about it. There’s so many devices out there especially phones and iot devices that just become e-waste because you can’t do anything with it once it’s not supported if it was open source and documented in some way then it could be used. I have like five cheap phones that I got because they were so cheap but once they lost support they’ve become completely useless even though they still work.

      • Malfeasant@lemm.ee
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        But then big companies wouldn’t be able to keep milking the consumer via planned obsolescence. Won’t somebody think of the shareholders?

    • oldfart@lemm.ee
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 days ago

      Open source stack will not prevent this. It’s not even a backdoor, it’s functionality that these researches think should be hidden from programmers for whatever reason.

      Open source devices would have this functionality readily available for programmers. Look at rtl-sdr, using the words of these researches, it has a “backdoor” where a TV dongle may be used to listen to garage key fobs gasp everyone panic now!

  • Oisteink@feddit.nl
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    Too much fanfare and too little real info shared to be of any value. Sounds more like an ad than infosec

  • m-p{3}@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    One more reason to have actual open-source drivers instead of binary blobs…

  • NauticalNoodle@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 days ago

    Does anyone know where it is that we can find these new commands? I have an esp32 dev kit just a few feet away from me as i read this. It might be interesting to know what these new product “features” are.

  • Dasus@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 days ago

    Haha. I wear cheap Chinese bluetooth literally on my skull like 95% of the time, web when sleeping.

    Hope they enjoy my thoughts.

  • CosmoNova@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    Not the first time a backdoor was found on Chinese made hardware and it won‘t be the last time. Decoupling can‘t happen quickly enough.

    • surewhynotlem@lemmy.world
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 days ago

      Which government’s backdoors would you prefer?

      “We know you have a choice in oppressive governments, so we appreciate you choosing ours.”

    • randompasta@lemmy.today
      link
      fedilink
      English
      arrow-up
      0
      ·
      9 days ago

      True, but the ESP32 is used by a lot of devices. This backdoor is pretty huge in scope of devices impacted.

      • earphone843@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 days ago

        It depends on what the method of attack is. I’m not seeing anything saying that it would be possible to exploit wirelessly, so this could easily be mostly a non-issue.