Maybe we can find out for sure through the magic of the fediverse…
@antoniovazquezblanco@mastodon.social Is the “backdoor” mentioned in https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/ about what you shared in your RootedCON talk? If so, how worried should people using devices containing ESP32s be?
I mean, if it were a backdoor, the one thing you can be sure of is that the people who put it there wouldn’t be calling it a backdoor, ever.
Though, I think it’s worth pointing out that the while the security company’s blog calls whatever it is a “backdoor”, “backdoor” (nor “puerta” (though, I have no idea if that would be translated literally or to something else)) doesn’t appear in the the slides. So I’m going to lay that one at the marketing people trying to drum it up into something more impressive than it really is.
Huh, that is interesting. Though, that post doesn’t seem to have any info about what the backdoor is either.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. […] This discovery is part of the ongoing research carried out by the Innovation Department of Tarlogic on the Bluetooth standard. Thus, the company has also presented at RootedCON, the world’s largest Spanish-language cybersecurity conference, BluetoothUSB, a free tool that enables the development of tests for Bluetooth security audits regardless of the operating system of the devices. [Emphasis mine.]
Maybe the presentation has nothing to do with the actual backdoor?
Though, this part later might seem to imply they are related:
In the course of the investigation, a backdoor was discovered in the ESP32 chip, […] Tarlogic has detected that ESP32 chips […] have hidden commands not documented by the manufacturer. These commands would allow modifying the chips arbitrarily to unlock additional functionalities, […].
Which, best I can work out, seems to be talking about the information on slide titled “COMANDOS OCULTOS” (page 39 / “41”).
If the “backdoor” is the couple of commands in red on that slide, I maintain what I said above. If it’s not talking about that and there’s another “backdoor” that they haven’t described yet, well, then ¯\_(ツ)_/¯ we’ll see what it is when they actually announce it.
I fully acknowledge there may be something I’m missing. If there’s a real vuln/backdoor here, I’m sure we’ll hear more about it.
What is this article on about?
Here’s the actual presentation: https://www.documentcloud.org/documents/25554812-2025-rootedcon-bluetoothtools/
I don’t speak Spanish and only have the slides to go off of, but this doesn’t sound like a “backdoor”. This sounds like they found the commands for regulatory testing. To do emissions testing you need to be able to make the device transmit on command so that your testing house can verify you’re within legal limits on everything.
These are commands that can be given over USB. You know what else you can do over USB? Fucking anything, these chips have a JTAG USB device. (Now, if these are commands that can’t be turned off, that would be kinda bad, I guess? But still not really a super big problem. And I don’t see anything that implies that in the slides.)
[Edit: It’s not even that this is a “backdoor” in an internal peripheral interface. I think the “backdoor” is if you have software that exposes that interface somehow? Like you’re running an example that blindly copies stuff from an external UART to this interface? Like I think that’s it?]
The tone I get from the slides is more “hey we found this cool tool for doing Bluetooth stuff that doesn’t require writing embedded software”. Which, cool. But that’s sure not the point this article is trying to make.
I asked nicely why do I need to give my phone number and I was told that to register me as a member so I can get the discount.
I declined and said I don’t want to join and would like to just pay.
I’ve just said “I don’t have one” when asked this for awhile. This never seems the phase the cashiers, I’m guessing they know what that really means. Half the time I still get whatever discount, though I’ve never tried to sign up for a membership saying that.
If it’s an online form my phone number is just (local area code)555–5555. I’ve never had that not take, except for one case where it automatically enabled 2-factor auth and I had to create a new account.
[edit: To be clear, I assume the part that OP is not sure if it’s satire or not is “or switching to a more privacy-conscious browser such as Google Chrome.”] The emphasis in
Firefox is worse than Chrome
is in the original. To me that clearly implies that they are of the opinion that in general Google & Chrome are worse on privacy than Mozilla & Firefox. The comment at the end is just tongue in cheek snark alluding to the fact that in this particular case google did better for privacy in Chrome than Mozilla in Firefox.
or switching to a more privacy-conscious browser such as Google Chrome.
You’re not mistaken, it is definitely possible with at least RSA, though, I would guess it may not always be possible. It also sounds like it’s still a bad idea unless you know all of the parameters used to generate the keys and can be sure what information is actually encoded in the keys.
Technically neither of these are donations, but:
I subscribe to Firefox VPN, and don’t actually even use it, just because I want to support them in a way where money could possibly towards FF dev and not just the Mozilla foundation (which can’t fun Mozilla corp work AFAIK).
I also have a supporter subscription at https://neocities.org because I support his ideals. Plus I get dirt cheap, easy to use static hosting out of the deal.
Edit: Oh, I guess humble bundle purchases might count, I do at least slide the sliders to make sure the charities get most of the money.
Edit 2: Oh and the Calyx Institute, that’s actually a proper donation to a registered nonprofit. With my $400/year donation I get a 4G hotspot with actually unlimited data. (They also have a $500/year for an unlimited 5G hotspot, I just haven’t felt the need to upgrade since they started offering that.) I also use CalyxOS, so it’s nice to feel like I’m supporting that.
OP is asking about userChrome.css, which applies to the style of the browser window itself, not webpage contents. Websites can't view the markup for the browser window itself (which, fun fact is (mostly?) just HTML too), otherwise this would all be moot and they could just look at your list of tabs or your username in the menus.
I think you might have misunderstood something along the way. You don’t need to use Chrome to use Element. Element is a client for the Matrix federated chat protocol. It exists as a web app (that works just fine with Firefox), an iOS app, and an Android app (that’s available in F-Droid). You can also use any other Matrix client you want.
And if you want to use the same account, the only thing you won’t have access to is your past encrypted messages.
The best way I know of is finding a device that’s supported by gadgetbridge: https://codeberg.org/Freeyourgadget/Gadgetbridge#supported-devices (be sure to check the warnings, some devices require you to pair with the OEM app first or possibly even keep the OEM app around)
Though, I used this with an Amazfit Bip and didn’t find the data particularity insightful. It often was just straight up wrong about whether I was sleeping or not. So, I too am curious to see what other answers come in.
It’s not even over USB by default. It’s an internal binary driver API. The USB part is a custom firmware for the ESP that exposes that api via USB that the people giving the talk wrote because it’s useful for pentesting / development of exploits for other Bluetooth devices.