Technology

70365 readers

3540 users here now

This is a most excellent place for technology news and articles.

Our Rules

Follow the lemmy.world rules.
Only tech related news or articles.
Be excellent to each other!
Mod approved content bots can post up to 10 articles per day.
Threads asking for personal tech support may be deleted.
Politics threads may be removed.
No memes allowed as posts, OK to post as comments.
Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
Check for duplicates before posting, duplicates may be removed
Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago

MODERATORS

L3s@lemmy.world

enu@lemmy.world

technopagan@lemmy.world

L4s@lemmy.world

L3s@hackingne.ws

L4s@hackingne.ws

183

The ESP32 "backdoor" that wasn't | Dark Mentor LLC (darkmentor.com)

submitted 2 months ago by megaman@discuss.tchncs.de to c/technology@lemmy.world

15 comments fedilink hide all child comments

top 15 comments

sorted by: hot top controversial new old

[–] SpaceNoodle@lemmy.world 39 points 2 months ago (1 children)

Finally, some technical details that were sorely lacking from yesterday's article.

Anyway, having direct unprivileged R/W access to platform memory is indeed a security hole, no matter the vendor.

[–] pelya@lemmy.world 15 points 2 months ago (1 children)

Anyway, having direct unprivileged R/W access to platform memory is indeed a security hole, no matter the vendor.

It is not. ESP32 is an embedded chip with less than one megabyte of RAM. It cannot run apps or load websites with any malicious code, it only runs the firmware that you flash on it, nothing else, and of course your firmware has full access to every chip feature. If your firmware has a security hole, it's not the chip's fault.

[–] Godort@lemm.ee 33 points 2 months ago (1 children)

I mean, this doesn't really change anything from a practical perspective. It just highlights that the verbage in the press release was alarmist.

It's still a security concern that most users will be unaware of.

[–] ozymandias117@lemmy.world 2 points 2 months ago

Yes, in the sense that every device you own has these same commands

The alarmist of the original was that this was somehow unique to the esp32

If your device has Bluetooth, it has these commands

[–] kubica@fedia.io 21 points 2 months ago

Overall we at Dark Mentor do consider the use of VSCs granting the capability to read and write memory, flash, or registers to be bad security design. It’s bad design for Espressif the same as it’s bad design for Broadcom, Texas Instruments, and any other vendor that uses it. This issue is now being tracked as CVE-2025-27840.

[–] embed_me@programming.dev 13 points 2 months ago

Thanks. I was looking for an explanation like this

[–] TxzK@lemmy.zip 10 points 2 months ago

But but it's Chinese and Chinese tech bad

[+] Darkassassin07@lemmy.ca -6 points 2 months ago (3 children)

Potato, potato....

Whether we call them 'undocumented commands' or a 'backdoor', the affect is more or less the same; a series of high-level commands not listed within the specs, preventing systems engineers/designers from planning around vulnerabilities and their potential for malicious use.

[–] futatorius@lemm.ee 4 points 2 months ago

In that case, every stack that you use is riddled with those and we are all hosed. And yet somehow your computer, your phone and the internet keep on working most of the time.

[–] SharkAttak@kbin.melroy.org 2 points 2 months ago (1 children)

I don't get the downvotes, wether you call it backdoor or private API it's a security hole, and nitpicking on its name won't help fixing it.

[–] Darkassassin07@lemmy.ca 1 points 2 months ago

It was all positive until the guy below me came in throwing insults. Then people started piling downvotes on both....