- Tarlogic found a "backdoor" im the ESP32 chips: bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices Broadcom & Cypress chips have the same HCI "backdoor" allowing to write to the Bluetooth chip's RAM. This feature is used for firmware patches.
Mar 9, 2025 12:39
- We didn't request CVEs for that 9 years ago. Instead, we built the InternalBlue Bluetooth research framework: github.com/seemoo-lab/internalblue
- Firmware memory access through HCI was never considered a threat, since an attacker requires at least code execution in the Bluetooth daemon/driver for getting code execution in the Bluetooth firmware.
- This threat model changed slightly when we showed further privilege escalation, in particular code execution in the WiFi firmware via Bluetooth. Now, this interface is only available until Bluetooth firmware patches were applied at driver/daemon initialization. arxiv.org/pdf/2112.05719
