Undocumented Commands Found In Bluetooth Chip Manufactured in China Used By a Billion Devices.

You literally need physical access to the device to exploit it

You don't need physical access. Read the article. The researcher used physical USB to discover that the Bluetooth firmware has backdoors. It doesn't require physical access to exploit.

It's Bluetooth that's vulnerable.

https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/

I do have a few outside. Probably not the best security-wise. Haha. Those are the first to get patched when one comes out.

In that case, how long til some open source project uses it to make a custom firmware to bypass the manufacturer bs and integrate my cheap IoTs seamlessly into Home assistant?

Wrong. Read the analysis. It is a BT vulnerability. One can probably design a cheap attack system that just sends a erase flash command to any BT device in reach, instantly bricking every BT enabled ESP32 device.

But then big companies wouldn't be able to keep milking the consumer via planned obsolescence. Won't somebody think of the shareholders?

This is about silicon. Undocumented instructions have just been found in it but they are not executable unless the ESP32's firmware uses them. Firmware cannot be edited to use them unless you have an existing vulnerability such as physical access or insecure OTA in existing firmware (as far as researchers know).

thats a very fair point, I had not seen anyone else make this one But the problem is that in this case, this functionality was entirely undocumented. I dont think it was intended for programmers.

Now if the firmware was open source, people would have gotten to know about this much sooner even if not documented. Also such functionality should ideally be gated somehow through some auth mechanism.

Also just like how the linux kernel allows decades old devices to be at the very least patched for security risks, open firmware would allow users of this chip to patch it themselves for bugs, security issues.

The article is a security company trying to hype their company with a theoretical attack that currently has no hypothetical way to be abused

The article has an update now fixing the wording to "hidden feature" but, spoilers, every BT device has vendor specific commands.

The documentation of the part just wasn't complete and this companies "fuzzing" tool found some vendor commands that weren't in the data sheet

The China part just came from OP

Pull up a chair and pour yourself a stiff beverage...

TLDR: Don't Panic.

If you have a regular old processor (MCU) and want to give it wireless capability, you can buy a wireless chip and stick it next to the processor, then have the MCU talk to it through a wired connection (typically UART or SPI). Think of it as the old ATDT commands that had your PC control your old screeching modems.

To standardize this communication protocol, folks came up with the Host Controller Interface (HCI) so you didn't have to reinvent that protocol for every new chip. This was handy for people on the MCU side, since they could write firmware that worked with any wireless chip out there, and could swap out for a cheaper/faster one with minimal change.

Fast forward to the era of integrated MCU+wireless, where you had a little ARM or other lightweight processor plus a little radio, and the processor could run programs in a high-level API that abstracted out the low level wireless stuff. Plus, you could use the same radio for multiple wireless protocols, like BLE, wifi, ANT, etc. Nordic and TI were early adopters of this method.

Typically, it was the vendor's own processor talking to their own wireless module, but they still implemented the full HCI interface and let it be accessed externally. Why? So if your design needed an extra beefy processor and used the MCU+wireless chip as a simple communication module, this would still work. The teeny MCU could be used to run something extra in parallel, or it could just sit idle. A typical example could be a laptop or cell phone. The little MCU is too small for everything else, so you pair it with a big chip and the big chip drives the little chip through HCI.

Sure, it would be cheaper if you just went with a basic 'dumb' wireless chip, as folks from CSR, Broadcom, and Dialog kept pointing out. But the market demanded integrated chips so we could have $10 activity trackers, fancy overpriced lightbulbs, and Twerking Santas (https://www.amazon.com/twerking-santa-claus/s?k=twerking+santa+claus).

For integrated MCU+wireless chips, most vendors didn't release the super low-level firmware that ran between them. There was no need. It was internal plumbing. They exposed SDKs so you could control the wireless chip, or high-level Bluetooth/wifi APIs so you could connect and talk to the outside world in a few lines of code. These SDKs were unique to each vendor (like Nordic's nRF Connect library, or TI's SimpleLink SDK).

Then along came Espressif out of Shanghai, China with a combo chip (ESP8266) that offered processor + wifi and was so cheap and easy to program that it took the hobbyist market by storm. Oh, god... so many LED light strips, perfect for Christmas and blinky EDM lightup outfits (hello, Adafruit: https://www.adafruit.com/category/65).

Fast forward and Espressif drops the ESP32. A bigger, faster Tensilica Xtensa processor, with built-in flash storage, plus wifi, Bluetooth, and BLE in one place. Plus lots of peripherals, busses, and IO pins. Also, running FreeRTOS and eventually Arduino SDKs, and MicroPython. All for less than $5! It took off like a rocket. So many products. Plus, you could run them as little webservers. Who doesn'l love a little webserver in their pocket?

It's gone through a few variations, including swapping out the Tensilica with an open-source RISC-V MCU, but otherwise it's a massive seller and the gateway drug for most IoT/Smarthome nerds.

So along come these Tarlogic researchers, looking to build a direct USB to bluetooth library. This way, you can drive the wireless from, say Linux, directly. There are already BLE to USB stacks, but this one is giving access at the HCI level, in a C library. Handy if you're doing research or developing drivers, but not the sort of thing your typical DIY pereon needs.

As part of their process, the researchers decide to dump the really low level ESP32 firmware and reverse engineer it.

A typical HCI implementation is a giant event loop that handles HCI opcodes and parameters. Host wants to talk to the outside world, it sets up some registers, configures the unique MAC address, then opens a channel and starts sending/receiving (hopefully without the modem screeching tones). There are typical packet encoders and decoders, multiple ISO/TCP layers, and the sort of thing that most people assume somebody else has gotten right.

For fancier implementations, there may be interrupt or DMA support. Sometimes, there's a multi-tasking part under the hood so they can time-slice between wifi, bluetooth, and ble (aka Fusion or Coexistence support). Not that you should care. The internals of this stuff is usually nobody's business and the vendors just include a binary blob as part of their SDK that handles things. The host systems just talk HCI. The wireless side talks HCI on the wired side, and wireless on the radio side. Everyone's happy.

In the process of reverse engineering the low-level HCI blob, these researchers found a few extra undocumented HCI opcodes. They're not sure what they're for, but according to their presentation (https://www.documentcloud.org/documents/25554812-2025-rootedcon-bluetoothtools/) if my super rusty Spanish holds up, it has to do with setting MAC addresses and handling low-level Link-Level Control Protocol communications (https://www.ellisys.com/technology/een_bt10.pdf).

Now in an of itself, this is no big deal. ESP32s already let you easily set your own temporary MAC address (https://randomnerdtutorials.com/get-change-esp32-esp8266-mac-address-arduino/), so there has to be a way to override the manufacturer one. And LLCP management is a totally geeky low-level thing that the MCU needs when handling wireless packets. There are perfectly good reasons why the opcodes would be there and why Espressif may not have documented them (for example, they could be used only during manufacturing QA).

So the original presentation is a teeny bit of an exaggeration. Yes, the opcodes exists. But are they nefarious? Should we stick all our ESP32s inside Faraday cages? Is this a secret plan for the CCP to remotely control our lights and plunge the world into chaos?

As I said before, ONLY if there's a secret as-yet-undiscovered wireless handshake that gives remote wireless access to these (or really, pretty much any other published HCI opcode). That presentation most definitely doesn't claim that.

To see if there is a REAL backdoor, you should wait for an analysis from fine professional wireless debugging vendors like Ellisys (starting models run $30K and up), Frontline, or Spanalytics.

Incidentally, Tarlogic, the group that put out that paper have their own BLE analyzer product (https://www.tarlogic.com/es/productos/analizador-bluetooth-le/). They look to know their stuff, so they should know better than putting out clickbait-y hair-on-fire reports. But come on, who can resist a good CCP/backdoor headline? Will media run with this and blow it out of proportion? No way!

If you've read this far, you must safely be on your third drink or the edible's just kicked in. Stop panicking, and wait until the pro sniffer and Bluetooth forum people give their opinions.

If it turns out there is an actual WIRELESS backdoor, then by all means, feel free to panic and toss out all your Smarthome plugs. Go ahead and revert to getting up and flicking on your light switch like a peasant. Have a sad, twerk-free Christmas.

But over a few undocumented HCI opcodes? Have another drink and relax.

Happy Sunday.

PS: controversy already up on wikipedia: https://en.m.wikipedia.org/wiki/ESP32

PPS: you may want to stock up on ESP32s for your light-up Christmas light project. Don't be surprised if Espressif doesn't get smacked with some hard tariffs or an outright ban, based on these ragebait headlines 🤷🏻‍♂️

Europe and its 50 car makers could also be considered instead of China..

CCP has backdoor into every tech that comes out of China. It’s not about just privacy. They control democracies based on shaping narratives. They’ll utilize everything that democracy offers and use it against countries. They don’t have freedom of speech or press so they themselves are not victims of it. EVs are really just computers on the road. Flooding the market with Chinese EVs would just mean creating a massive free network on a foreign soil for them.

Or maybe because they feel offended because they are Chinese

I'm Chinese-American and I'm not offended. The tankies from .ml are

the reality is that every Chinese company is ultimately controlled by the CCP.

Yes.

But in the same way that every US company is ultimately controlled by the US Government. And every EU company by them. And every other country by their own government.

Jesus. Okay. So when you say, "being short sighted", you don't literally mean the geometry of their eyes is myopic. You mean it figuratively. Exactly like the person you are correcting clearly means it figuratively when they say "short-term memory".

Thats super interesting! Write a poem about three gorges dam please

Well, no, China is bad because freedom is very restricted there and because they have ambitions to dominate the world.

Yes, every other world power in the world is more or less the same. People cannot, in general, be trusted to be "good" when given the opportunity to abuse. A world power can be held in check by the presence and efforts of other world powers, though.

No, 'China bad' because many many examples of China bad. Such as the topic of this post.

The whole "you can't criticize China because you're from a country that also does bad things" is logically worthless. It's the appeal to hypocrisy fallacy.

Not sure if you realize this but China is also ruled by a kleptocratic billionaire class that loots the working class even moreso than the US, so i'm not sure why you look up to them - China has more billionaires and a much larger wealth divide than the US. Actions speak louder than words and while Xi and the CCP often talk about cracking down on thier ultra-wealthy, they don't really do much - couple billionaires might disappear occasionally though if they don't praise the party line publically. One thing is for sure - I don't see any elite CCP party members that are not also very wealthy. And it's everyone else that's propagandized 🤔

China is bad, because they too are a colonialism and imperialistic nation.

Just like the US and Russia.

Solid article. I imagine the folks at the cyberwire podcast will be doing more digging over the weekend for a solid summary come Monday.

Thanks for the link, this article is more clear compared to the posted above.

I'm more interested to the scope of the exploit whether it could touch the flash of the controller or not as you can also do OTA update through the BLE component.

China ain't our friend but neither is our own regime, I don't get the normies only caring about privacy and security when chinaman do the thing

Then they tuck their dicks because they got nothing to hide when domestic spook is doing the same

pathetic and intellectually disingenuous

Where did anyone say anything remotely like that?

How about all tech backdoors are bad and we should aim to use and make software and hardware that is ethically produced and usable without selling out your privacy and security?

Yes, this is about undocumented instructions found in the silicon but they are not executable unless the ESP32's firmware uses them. Firmware cannot be edited to use them unless you have an existing vulnerability such as physical access or insecure OTA in existing firmware (as far as researchers know).

It is good to question the "backdoor" allegations - maybe the instructions' microcode was buggy and they didn't want to release it.

Thats hot.

None of them, that's why the only things in my house that connect to the internet are my computers, game consoles, and cell phone

It depends on what the method of attack is. I'm not seeing anything saying that it would be possible to exploit wirelessly, so this could easily be mostly a non-issue.

Idk maybe specify that it was determined to not be a backdoor. Right now it reads as anti-china fear mongering.

Yeah, I caught the ESP32 part and tried to search for what devices these chips were built into, but couldn’t find one. I was curious how widespread the flaw was - as in, what consumer or infrastructure devices they might be in.

I'd also like to hear more. I have at least a dozen of these in my house.

So your argument is what? We shouldn’t have a list because the chip is user friendly?

If anyone's ever followed console emulator development, they know those undocumented commands are everywhere. There's still people finding new ones for the N64 hardware

Edit: I should say undocumented behavior, not necessarily new commands

Dog whistling.

This has nothing to do with the chip or who makes it.

It's the way it's written.

You missed the point.

So instead of blatant racism based on a lie, you're just going to dogwhistle racism based on a lie.

Thank you, your explanation / edit is much appreciated 👏 🥳 ❤️

17billion of them.

Xi had a clone army?

🤔