Comment by gruez
1 month ago
>In theory, the attacker could then use the undocumented commands to scan, spoof, or otherwise attack any near by bluetooth devices. Perhaps this could even be achieved without gaining root on the device which is hosting the esp32.
How's this any different than a laptop getting pwned and attackers being able to run aircrack-ng or whatever on it?
It's not that different. It might be easier than your average "pwn" and might not require root access, but this is only my hypothesis based on what's written in TFA.
If it is USB, you should be able to do it directly in JS via Chrome.
WebUSB requires the device to opt in via it's USB descriptors. Otherwise any USB device with firmware updates would have this problem.
Maybe an issue here is WebSerial, as HCI comes over a serial port device. I believe the OS should block access to the serial device once the host driver takes it as a Bluetooth adapter though.
1 reply →
>It might be easier than your average "pwn" and might not require root access
It's an IOT device. Everything's running as root.
> How's this any different
It's undocumented.
My laptop came with a 10 page quick start guide that mentions nothing about this "vulnerability". The only way to figure out whether a wifi chip can enter promiscuous mode or inject packets is by checking a wiki page maintained by volunteers.