- cross-posted to:
- privacy@lemmy.ml
- privacy@programming.dev
- cross-posted to:
- privacy@lemmy.ml
- privacy@programming.dev
cross-posted from: https://lemmy.world/post/26598539
cross-posted from: https://programming.dev/post/26664400
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
“it’s just for testing”
I understand your point, but I would not imply that a backdoor has to be remote. Backdoors are essentially any alternative, often undocumented ways to access or gain privileges on systems. They don’t always result from malicious intent either - many backdoors simply “happen” when developers haven’t fully considered security implications. For the average user whose device contains such unintentional backdoors, the impact remains the same regardless of how they came to exist. Consider the times when vendors had default BIOS passwords - these created a nightmare for Uni IT staff (and others as well), even though they were not accessible remotely.