Conversation
xenokovah@infosec.exchange

Xeno Kovah

I’ve posted a detailed explanation of why the claimed ESP32 Bluetooth chip “backdoor” is not a backdoor. It’s just a poor security practice, which is found in other Bluetooth chips by vendors like Broadcom, Cypress, and Texas Instruments too. https://darkmentor.com/blog/esp32_non-backdoor/

1
2
1
lina@vt.social

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!

Reply to @xenokovah@infosec.exchange
Edited 9 months ago

@xenokovah I don't think your hypothetical "compromised userspace" scenario applies to the ESP32 in any practical usage. These are integrated chips (think "Bluetooth+WiFi+Arduino-on-a-chip") where the the user host code runs on the same chip, I think even in the same address space. So if that is compromised, the Bluetooth side is compromised regardless of the existence of the vendor commands.

In principle you could use an ESP32 as an external Bluetooth controller exposing HCI of course, and then the concern would apply, but I don't know why anyone would do that when dedicated Bluetooth chips designed to be used as HCI dongles exist. And then most of those have the same issues anyway...

4
0
1
charlotte

Charlotte/Cinny neoraccoon_flag_plural therian

Reply to @lina@vt.social

@lina @xenokovah I have certainly seen this for like arduino-style microcontroller development boards, but really it imo only matters if you want an actual security boundary between the bt chip and the main chip

1
0
1
lina@vt.social

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!

Reply to @charlotte

@charlotte @xenokovah Right, but in this case it's all one chip...

You can use an ESP32 as a network controller for another microcontroller, but then you'd usually implement higher level protocols on the ESP32 and provide a higher level interface, not just expose raw HCI, I think. And if you don't, I don't think having a security boundary would be a requirement for most applications...

1
0
1
charlotte

Charlotte/Cinny neoraccoon_flag_plural therian

Reply to @lina@vt.social

@lina @xenokovah ah tbf i haven’t looked at the details on the arduino clone i have that does this, mostly because i’m not particularly interested in bluetooth

0
0
0
lispi314@udongein.xyz

LisPi

Reply to @lina@vt.social
@lina @xenokovah > And then most of those have the same issues anyway...

The Bluetooth ecosystem is an unmitigated disaster.
1
0
0
lina@vt.social

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!

Reply to @lispi314@udongein.xyz

@lispi314 @xenokovah I don't think "USB device has firmware update or RAM read/write undocumented commands" is a Bluetooth thing... lots of devices do this kind of thing.

Only privileged userspace can issue raw HCI commands anyway (on a proper Bluetooth stack) so it's not like a random unprivileged app can compromise your Bluetooth controller.

1
0
0
hariprakashj@fosstodon.org

Hari Prakash

Reply to @lina@vt.social

@lina @xenokovah This is a bit weird but consider a scenario where the firmware for esp32 was modified with some new code which uses these undocumented instructions to do something malicious. Would it be hard to detect that? I guess it would be weird to see code that uses some weird undocumented instructions but would be it be obvious that its malicious to someone who is going through the firmware?

1
0
0
lina@vt.social

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!

Reply to @hariprakashj@fosstodon.org

@hariprakashj @xenokovah "Would this feature be possibly useful as part of a way to hide/obfuscate malicious behavior" is not usually a criteria for labeling something a security issue. There are many ways to hide or obfuscate malicious behavior, especially when you are linking with vendor blobs like this.

There was even a whole contest about this:
https://en.m.wikipedia.org/wiki/Underhanded_C_Contest

Here is an article about how a very, very subtle API misuse in a similar IoT chip due to missing documentation introduced a memory safety issue:

https://tweedegolf.nl/en/blog/145/the-hunt-for-error--22

You could easily just make a similar "mistake" on the ESP32 to create a backdoor, if that was your goal.

0
1
1
lispi314@udongein.xyz

LisPi

Reply to @lina@vt.social
@lina @xenokovah The notion any random app with privilege escalation exploits can do it is not really any better.

Various systems are sufficiently insecure that most apps might as well be considered to have privileges from the get go.

There should be a hardware jumper or other element required to physically setup to enable reprogramming.
1
0
0
lina@vt.social

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!

Reply to @lispi314@udongein.xyz

@lispi314 @xenokovah The only OS and platform that can seriously claim that getting root does not allow full kernel/platform compromise is macOS TBH, which is why Apple (and Xeno) care about this stuff and nobody else does. Every other platform has much bigger issues to worry about once you get root than a compromised Bluetooth controller.

0
0
0
xenokovah@infosec.exchange

Xeno Kovah

Reply to @lina@vt.social
Missing media descriptions
Show content

@lina @xenokovah I was addressing the research in the context in which it was given. I’m aware that chips can have varying architectures (attached but non-animated examples from future class), and that a HCI-using architecture is not necessarily the most likely in the case of the ESP32. And indeed given that the research focused on IoT devices in the last few slides, it seems like the least likely place for HCI to matter in some sense. But I didn’t want to muddy the water with speculation, and I have no direct knowledge of population distribution of different architectures in the ESP32-specific ecosystem. So it’s basically “OK, if they want to talk about a vulnerability under the assumption of HCI, let’s talk about it under that assumption”.

1
0
0
lina@vt.social

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!

Reply to @xenokovah@infosec.exchange

@xenokovah I think the idea is that ESP32 uses HCI internally within the same chip, between user code and the Bluetooth host controller. So it's still HCI, but in a use case where it doesn't really matter.

1
0
0
xenokovah@infosec.exchange

Xeno Kovah

Reply to @lina@vt.social

@lina @xenokovah It is indeed possible that they continue to use HCI even in the single chip architecture. However, within Espressif’s response (https://www.espressif.com/en/news/response_esp32_bluetooth) is the statement “If ESP32 is used in a standalone application and not connected to a host chip that runs a BLE host, the aforementioned HCI commands are not exposed and there is no security threat.”. And my interpretation of that is that the ESP32 can also be used in 2-chip architectures in which HCI is the interface, per the Tarlogic researchers’ implied architecture.

1
0
0
lina@vt.social

Hoshino Lina (星乃リナ) 🩵 3D Yuri Wedding 2026!!!

Reply to @xenokovah@infosec.exchange

@xenokovah It's possible to use HCI via firmware API (see `esp_vhci_host_send_packet()`), though there are probably very few applications that do this. Most would use direct and higher level Bluetooth APIs.

At the end of the day, the number of actual devices/applications where the undocumented commands have an actual security impact is probably close to zero...

0
0
0
About Raccoon Noises

Rules

  • Hate against minority groups is forbidden. This includes racism, sexism, ableism, xenophobia, homophobia, transphobia, antisemitism, islamophobia, queer exclusionism, etc.

  • Content that is illegal under German Law is not permitted. This especially includes the promotion and dissemination of any Nazi symbolism and ideology, except for education, reporting on past or current events, and antifascist art.

  • Please add content description to all media that you post. This instance automatically adds a CW if it is missing. If you are unable to create one, you can request one via the #DescriptionWanted hashtag

  • Be considerate. Add content warnings for NSFW Content, common phobias, overly long posts, controversial subjects, etc. Please try to avoid flashing images and quickly moving text inside of your posts.

  • NSFW content is generally allowed, but all NSFW content must be properly marked as such, including kinks. Profile images, names, bios, etc must be fully SFW, or they are subject to removal

  • Bots are allowed, however they must be marked as such and must make unlisted posts, may only @ or interact with posts of other users iff they have prompted the bot, or have given explicit permission to do so. Additionally, bots may not post more than 10 posts in a 60 minute interval without interaction.

We highly encourage reporting posts violating our rules, even if they are not on our instance. Your reports will not be ignored. For transparency we publish local moderation decisions for users on this server, and federation moderation decisions on the #FediBlock hashtag. We do the following moderation automatically:

  • Unlisting of bot posts

  • Modification or removal of posts that cause issues with certain clients

Privacy Policy

What data do we collect?

We collect the following data:

  • Email Addresses from local users

  • Posts and Media uploaded by local users

  • User Profiles and Posts by certain remote users

How do we collect your data?

If you are a user of this instance, we collect and process your data when you sign up for or use interactive features (e.g. Posting) of the Website. If you are not a local user, we collect your data over the following ways:

  • One of our users has requested to follow your account, and you have accepted the request.

  • One of your posts has been interacted with by a remote account, that a local account has followed. This includes Replies, Repeats, Quotes, Likes, Emoji Reactions, and @-Mentions.

  • You have requested that your post is shown to one of our users (i.e. through @-Mentions or DMs)

  • One of our users has explicitly looked up your profile or one of your posts on this instance, for example to interact with it.

How will we use your data?

We collect your data so that we can:

  • Store and display your posts to our local users

  • Display public posts to anonymous users

  • Deliver your public, unlisted, and private posts to your followers

  • Deliver direct messages to the recipient

  • Allow our users to follow you

  • Allow our users to interact with your posts

How do we store your data?

We store your post, profile and account data on a server near Chemnitz, Germany. Media is stored on Vultr We employ technical security measures to avoid exposure to sensitive data. We also store backups of post, profile, and account data in multiple locations, in an encrypted form, as well as on Hetzner. For technical reasons it is not possible modify these backups to remove your data. If this is a concern, please contact us.

What are your data protection rights?

We want to make sure that you are aware of your data protection rights. Every user is entitled to the following:

The right to access — You can request a copy of the data we have about you. This may require a short verification for remote users. Local users can do so in the settings under Export/Import

The right to rectification — You can request us to correct any information you believe is inaccurate. You also have the right to request us to complete the information you believe is inaccurate.

The right to erasure — You can request us to erase the data we have about you.

The right to restrict to processing — You can restrict us from transmitting your posts to other servers by setting your post visiblity to “Local”. Remote users can also restrict processing of certain posts, by setting its visiblity to “Unlisted” or “Private”.

The right to object to processing — As a remote user, you can object to further processing of posts and profile data by blocking this domain.

The right to data portability — You can at any point move to other instances. Due to technical restrictions, it is currently not possible to automatically transfer the users you follow and posts to your new account.

If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, or need help with the included tools, please contact us at our email privacy@chir.rs

Cookies

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology For further information, visit allaboutcookies.org. How do we use cookies? We use cookies for keeping you logged in. Additionally we store certain configuration in cookies, however these cookies are never transmitted to anyone. How to manage cookies You can tell your browser to not accept cookies, or tell it to remove cookies this website has stored on your device. Please consult your browser’s documentation on instructions on how to do that.

Privacy policies of other websites

This site contains many links to other websites. This privacy policy only applies to this website. Please consult the privacy policy of these remote sites before entering any personal information.

Changes to our privacy policy

We may make occasional adjustments to this privacy policy. This policy was last updated on 2025-10-21.

How to contact us

If you have any questions about this policy, the data we hold about you, or want to exercise one of your data protection rights, please contact us at: privacy@chir.rs

How to contact the appropriate authority

Should you wish to report a complaint, or if you feel that we haven’t addressed your concern in a satisfactory manner, you may contact the Sächsische Datenschutzbehörde.

We also offer the Mastodon Web UI. Keep in mind that some features are missing, like emoji reactions, quoting, and JPEG XL.

Art Credit