Oh, is that all? A few (billion?) ESP32 devices let attackers establish persistency in local flash using an undocumented commands set accessible from an over the air pivot, and low level protocol injection and spoofing control...
ESP32 chips have 29 undocumented Bluetooth vendor-specific HCI commands (0xFC01–0xFC44) allowing direct RAM/Flash access, MAC address spoofing, injecting LMP and LLCP packets, direct Bluetooth register manipulation.
https://tinyurl.com/ESP32-backdoor
https://tinyurl.com/esp32bd
dragosr /
npub1wl…eryt0
2025-03-08 23:03:59
Author Public Key
npub1wlwdlj43gwu8nem6f93swk7sz92vaen406uk22uuank2euz4l6js2eryt0Published at
2025-03-08 23:03:59Event JSON
{
"id": "058942e41e56bd3b1cf00882e2bd06933a32e67256e47aa1d5b850362bb8acf5",
"pubkey": "77dcdfcab143b879e77a4963075bd01154cee6757eb9652b9cececacf055fea5",
"created_at": 1741475039,
"kind": 1,
"tags": [
[
"proxy",
"https://chaos.social/users/dragosr/statuses/114129308192913276",
"activitypub"
]
],
"content": "Oh, is that all? A few (billion?) ESP32 devices let attackers establish persistency in local flash using an undocumented commands set accessible from an over the air pivot, and low level protocol injection and spoofing control...\n\nESP32 chips have 29 undocumented Bluetooth vendor-specific HCI commands (0xFC01–0xFC44) allowing direct RAM/Flash access, MAC address spoofing, injecting LMP and LLCP packets, direct Bluetooth register manipulation. \n\nhttps://tinyurl.com/ESP32-backdoor\n\nhttps://tinyurl.com/esp32bd",
"sig": "db72360806f9cb48008a42358a4ab4c4923891d9791b05e89902b05b20276f16f5edc6ad393f6db85983e7aba517a17bb404d666bb75f666ebf1397f702c55f1"
}