- cross-posted to:
- electronics
- cross-posted to:
- electronics
Source Link Privacy.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.
Update: The ESP32 “backdoor” that wasn’t.
That’s like saying “I want a list of all devices with ATmega328P.” Anyone can make a unique device with this chip as the processor, in fact I have. It’s a chip with an extremely low barrier of entry thanks to extensive documentation, lots of dev boards and libraries. Not as low as the 555 (lots of people’s first IC) but WAY lower than anything you’d traditionally consider a 32-bit CPU.
Anyway, even if you obtained the list magically, it would be of little use. To be clear: this is not an exploit. The chip just has more instructions than previously thought – instructions that you write into your program when building an ESP32 device. This can make some programs a little faster or smaller but you still need to flash them onto the microcontroller – using physical access, OTA (if you set it up in the existing FW) or some exploit (in someone’s OTA implementation, perhaps).
So your argument is what? We shouldn’t have a list because the chip is user friendly?
No. I’m saying you cannot have a complete list because the chip is user friendly. Look at all the “ESP32 project” results in the search engine of your choice if you want an incomplete list. Unlike say an Intel processor, you don’t need a contract with the manufacturer to make a device with the chip so not even Espressif has a list of commercial products that ship with their chip.
I will not stop you from building a list, I’d just not bother if I were you. There is no use of one resulting from this news. Suppose I told you “LOOK! This device’s firmware was compiled before they knew the program might be .1% more efficient with this instruction discovered in 2025!” – would that really change how you feel about the device? We live in an age of bloat; most software has way higher overhead that could be optimized away.
However, lots of people will fail to realize that, again, this is not an exploit so I’ll enjoy lower ESP32 prices for future home automation projects.
Dude, do I really need to pedantically qualify my question with “I would like a list of manufactured devices produced for sale with the chip already integrated, not hobbyist or ersatz devices in limited quantity? Nobody needs that, and a reasonable person would understand I’m not interested in what joe schmoe built in is garage.
C’mon, it’s like you’re looking for an argument. No shit we can’t have a list of every device based on your criteria, but we can reasonably expect to know what manufactured large-run devices do have it, and I think that’s a reasonable take on my question.
I agree that a list would be cool but I need to make sure that people know this is not a “WARNING! Avoid these bugged devices:” situation. Calling for a list increases unjustified panic. (Also, it looked like you didn’t understand the difficulties of listing all ESP32 products, which I was all too happy to be pedantic about.)
Am I oddly curious about the cheapest/most expensive/most popular retail ESP32 device? Yes.
Does this news increase/decrease the benefit of making such a list? No, it’s still way below the cost.