Comment by Palomides
1 month ago
I'm confused, is it that the bluetooth stack has a few undocumented commands? if these are only accessible to the code already running on the device, I'm not sure I would call it a backdoor
1 month ago
I'm confused, is it that the bluetooth stack has a few undocumented commands? if these are only accessible to the code already running on the device, I'm not sure I would call it a backdoor
> "Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections."
Yeah this does not sound like a RCE.
In what way is what you quoted not describing an RCE?
Clearly there are unanswered questions like does this malicious firmware exist? and how likely is it that ESP32s in the wild were shipped with it?
But they’re still describing an RCE.
Because it's not remote. This allows a computer with a Bluetooth adapter to debug and modify its own firmware. This is normal. The potential problem is the interface for this was not documented, and the commands are embedded in the HCI host-to-bluetooth-adapter protocol. Because it's undocumented, software developers on the host may not have considered this in their threat modeling. Firmware updates usually require kernel-level privileges, but HCI does not.
7 replies →
They say "backdoor might be possible via malicious firmware or rogue Bluetooth connections."
Malicious firmware is not a RCE. If you install a malicious firmware you can do all kinds of bad stuff without this undocumented behavior.
And "rogue Bluetooth connections" is entirely theoretical. That MIGHT be a RCE, but it is not one. More of a hypothesis.
The headline alludes to much more than they have actually demonstrated. I'll change my tune when they demo the exploit code.
Agreed. This is pretty common and no worse than a firmware update. The potential catch is in-band debugging may not require the same privileges on the host you'd expect from a firmware update. So conceivably your userspace (or worse WebBLE, not sure) program could add some malicious payload that's persistent in the adapter. Tracking beacon that persists through a drive replacement is scary, but not an RCE