Comment by 20after4
1 month ago
> "Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections."
Yeah this does not sound like a RCE.
In what way is what you quoted not describing an RCE?
Clearly there are unanswered questions like does this malicious firmware exist? and how likely is it that ESP32s in the wild were shipped with it?
But they’re still describing an RCE.
Because it's not remote. This allows a computer with a Bluetooth adapter to debug and modify its own firmware. This is normal. The potential problem is the interface for this was not documented, and the commands are embedded in the HCI host-to-bluetooth-adapter protocol. Because it's undocumented, software developers on the host may not have considered this in their threat modeling. Firmware updates usually require kernel-level privileges, but HCI does not.
Are you saying that none of the undocumented commands are capable of putting the device into a remotely exploitable state?
The fact that it might be necessary to execute these commands locally is separate from the effects of executing those commands and the potential implications for hardware in the wild.
A simple example would be a supply chain attack that leverages these commands to compromise what will soon be consumer hardware.
6 replies →
They say "backdoor might be possible via malicious firmware or rogue Bluetooth connections."
Malicious firmware is not a RCE. If you install a malicious firmware you can do all kinds of bad stuff without this undocumented behavior.
And "rogue Bluetooth connections" is entirely theoretical. That MIGHT be a RCE, but it is not one. More of a hypothesis.
The headline alludes to much more than they have actually demonstrated. I'll change my tune when they demo the exploit code.