Comment by Aurornis
1 month ago
TL;DR: They reverse engineered the firmware and found HCI commands to do things like read/write memory, send packets, and set the MAC address.
Not really a backdoor. I don't know if they called it a backdoor (presentation is in Spanish), or if the journalists are calling it a backdoor to get more clicks.
You'd need to have arbitrary access to send HCI commands to the device to use these commands. That means you're already controlling the device and how it operates. This isn't something that gets remotely exploited over the wireless link. Any exploits would already have to have full control of the device, at which point being able to change the MAC address or send packets isn't really a surprise anyway.
Interesting research, but really groan-inducing to see it spun as a "backdoor". I don't know who's to blame for the wording, though. I'm guessing the journalists?
EDIT: For an analogy that might be more familiar, imagine if someone discovered that the Ethernet controller on a common IOT chip could change its MAC address or send arbitrary packets if the firmware told it to. This is the same thing, but with Bluetooth.
It's the researchers itself call it a backdoor. Here's the announce on their website, in English
https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-...
and set the MAC address
Fun fact: a lot of the extremely cheap USB BT adapters you can find sold online have the same MAC address, probably because they couldn't be bothered to change it to something unique. Hence why things like https://macaddresschanger.com/ (Windows) and bdaddr (Linux) exist. Most of them seem to be clones of a CSR design, and the commands to set its address are well-known. (See https://sources.debian.org/src/bluez/5.55-3.1%2Bdeb11u1/tool... )
Don't you see how a random device with an Ethernet cord being able to change its MAC address and send arbitrary packets is a wormable threat actor?
...and then let it do the same but without the Ethernet cord requirement?
Drive around with a white van that says "Free Candy / BLE Persistent Threats"... pwn devices as you walk through the metal detectors on the way to China.
Wireless, wormable, arbitrary packets, spoofing arbitrary devices and you don't see the issue?
> Don't you see how a random device with an Ethernet cord being able to change its MAC
Many devices already allow you to change your MAC if you want. This isn't new, it's been the case since the beginning of ethernet, and subsequently wifi.
Then you have things like device privacy on Windows and Android that use randomized MACs when connecting to new networks.
Your phone probably generates a random MAC every time you connect to WiFi.
Guess I'll see you in hacker jail
It doesn't sound like it is wormable -- it doesn't allow any new attacks on external devices.