Just a moment...
www.bleepingcomputer.com
    • Higgs bosonEnglish
      142 months ago

      Probably why Android and apps are constantly asking me to turn on Bluetooth when I dont want or need it.

      Not that this chip is in my phone, but it begins to seem like a pattern.

          • @[email protected]English
            22 months ago

            You lucky nexus owner. I wish GrapheneOS could be flashed on more smartphones. Yeah so that definitely reads like the feature that bouncer provides and if that’s anchored at the system level the Graphene solution is guaranteed to be better too. Either way, it offers a lot of good functions that you can’t simply make available on another Android via root.

            Edit: I also forgot that Bouncer needs root to be fully functional.

    • @[email protected]English
      422 months ago

      Maybe, maybe not. Keep in mind that opcodes are the lowest-level part of the programming stack. They’re literally just integers transmitted on the system bus. So if you’ve got, for example, 35 operations that you’re actually trying to implement, you need 2n ≥ 35 or n = 6 signal lines in your bus to transmit it. But since 26 = 64, that means it’s possible to put another 29 values on that 6-bit bus, with completely undefined behavior unless you go out of your way to handle them in the instruction decoder (increasing the size and therefore cost of your silicon, which is very undesirable in an embedded chip that sells for less than $1).

      It is not at all implausible for one of those undefined instructions to just happen to do something that an attacker would find useful, by sheer coincidence.

      • sunzu2
        92 months ago

        It is not at all implausible for one of those undefined instructions to just happen to do something that an attacker would find useful, by sheer coincidence.

        It amazing how there is an endless supply of these “coincidence”

        • @[email protected]English
          292 months ago

          Well, yeah. That’s because it’s inherent to how CPUs work. Every single CPU on the planet has undefined opcodes, unless the number of defined ones just happens to be a power of two.

      • CavemanEnglish
        42 months ago

        Couldn’t they just designate them as no-op codes?

        • @[email protected]English
          152 months ago

          Yes, but to do that they have to be decoded and handled. That’s basically what the commenter above was saying.

          The original 6502 had many undocumented opcodes for this reason, and developers stated exploiting them for various reasons. The CMOS 65C02 redefined them to no-op. This has been going on a long time.

    • sunzu2
      62 months ago

      why do you think both android and ios always trying to keep BT turned on?

      • osaerisxero
        62 months ago

        For android, location services doesn’t work properly without Bluetooth on, so that could be related

        • sunzu2
          32 months ago

          I know BT will help location services, I am not sure what you mean will not work properly?

          It won’t pin location quick enough?

          • osaerisxero
            32 months ago

            Iirc, precise location queries don’t return values without the BT radio enabled. Works the other way too, the app needs location permission to discover bt devices in proximity and location must be enabled at the system level.

      • @[email protected]English
        22 months ago

        step 1 Tracking and profilling step 2 selling data step 3 profit

        Android and ios use completely different methods. For example, they listen to frequencies that are inaudible to us and, for example, TV advertising plays an inaudible sound as a trigger for Android/IOs in addition to the audible sound. To impose targeted advertising in order to allocate devices even without a network, etc. They wouldn’t actually need backdoors as they get more than enough information as it is. But I don’t want to imply that I don’t expect backdoors there, because this has been proven in any case and often enough.

  • OptionalEnglish
    132 months ago

    Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.

    Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.

    Badass.

  • Fermiverse
    402 months ago

    This is really bad as most cheap IOT devices using this chip will not receive an update all.

    Would like to see a smartphone app testing this out via bluetooth so we could do some damage control at least and take them offline.

    • @[email protected]English
      42 months ago

      Am I misunderstanding the article? It seemed to imply remote intrusion required either Bluetooth proximity, or physical USB access.

      • Fermiverse
        132 months ago

        Correct, but as bluetooth is possible over a certain range, “drive by attacks” might be possible.

      • The_DecryptorEnglish
        32 months ago

        The “attack” is from the host side, any remote attack is theoretical and would depend on exploiting the software on the host first to then gain access to the BT chip.

  • burgersc12English
    92 months ago

    I am conflicted on the one hand its a great thing we know about the exploit. The problem is, now everyone knows about it, seems like they’ve documented exactly how to do it for anyone who didn’t already know how…

    • @[email protected]English
      222 months ago

      That’s how it goes with all security vulnerabilities. IMHO sunlight is the best disinfectant for stuff like this. But yeah, it can cause some chaos.

    • K0W4L5K1English
      152 months ago

      Better to have it out in the open then being used by sneaky nefarious types without anyone else knowing imo

  • nickwitha_k (he/him)English
    32 months ago

    I’m still looking into this but, “backdoor” appears to be incorrect and sensationalist. A team used proprietary software to uncover undocumented opcodes related to the Host Controller Interface (HCI). This could provide a path for arbitrary code execution, if one already has control of the Host… In which case they can arbitrarily execute whatever code they want.

    • @[email protected]English
      82 months ago

      In addition to what others have said, ESP32 is often used by hobbyists, like a more powerful Arduino. These devices are extremely versatile and cheap. I have several of these in my home automation and this is very bad news :(

    • burgersc12English
      22 months ago

      There’s a billion, gonna be a long list… I’d do some research on your devices and see if any of them use the esp32