Undocumented commands found in ESP32
It seems suspicious as heck.
2025-03-09 · 1 year ago · 😮 1
20 Comments ↓
🚀 stack · 2025-03-09 at 15:52:
ESP32 is full of weird stuff. A while back someone found a BASIC interpreter hidden in the ROM.
I am more suspicious of the toolchain. A couple of years back I was implementing a Lisp 1.5 interpreter using a minimal build environment I cobbled up, and I found that there were two RAM locations that crashed the system for no explainable reason...
I'd kind of given up on ESP32 as the build environment has gotten to the point that I am no longer comfortable having it on the computer.
🚀 stack · 2025-03-09 at 17:17:
It's generally wise to assume incompetence and not conspiracy -- a skill I am still trying to master.
🚀 stack · 2025-03-09 at 18:31:
Just be on the lookout for suspicious-looking Chinese guys with strange equipment.
👻 darkghost [OP] · 2025-03-09 at 19:01:
I could spin out a scenario involving connected IoT devices with Bluetooth or compromised computers seeking to penetrate deeper into networks. But it just serves to emphasize how hard it is to really audit all the microcode in everything. Ain't like it used to be.
🚀 stack · 2025-03-09 at 19:16:
You can destroy the morale of the population by remotely messing with the temperature and the timing of consumer washing machines to shrink clothes.
The demoralized population will develop unhealthy self-image, slowly undermining the society, and making it easy for the takeover.
I think it was in some Kurt Vaunagut's novel, Martians put up billboards showing how much bigger their penises were, making earthmen surrender...
👻 darkghost [OP] · 2025-03-09 at 20:36:
It's funny you mention it, my 30 year old washer is having difficulties. I kept it going by putting a jumper wire across some terminals (thanks to the included schematic and logic table) until I can get a replacement part. Given what I know about modern appliances, I'm going to keep doing this until I can't.
Yeah the Chinese... Bad luck for me. I just wanted to start messing with the ESP32 again and rust. Maybe I'll do anyway.
I have 4 remote power switches / power meters with Tasmota flashed to use without hardware vendor software but I think these use an ESP8266. And I've put them in an isolated VLAN with no internet access (which won't help against bluetooth attacks but anyway).
🚀 byzoni · 2025-03-10 at 06:35:
So ESP32 is not only a penny microcontroller to blink an LED, but also a Bluetooth debugging board. Adorable!
👻 darkghost [OP] · 2025-03-10 at 09:50:
There are far more stupid applications of the IoT. How about an egg holder that lets you know, from anywhere in the world, exactly how many eggs you have? (but not whether they've gone off) Or water bottles that Bluetooth remind you that you're thirsty?
🚀 stack · 2025-03-10 at 12:35:
Now that the Internet of people has screwed everyone, it's time for the Internet of things to screw up everything. That pretty much covers it.
👻 darkghost [OP] · 2025-03-10 at 13:10:
Sorry, I died because I didn't charge my water bottle and I forgot to drink water. The afterlife won't give me the Wi-Fi password so I'm using a very spotty cell connection to tell you something important: you have 4 eggs left. Also it's time to update the firmware in your light bulb. It's only 120 MB to download. You can schedule the update now or now.
🚀 stack · 2025-03-10 at 20:06:
iDied is a connected coffin, providing updates to your dead feed to your favorite social media via wifi, via the cemetary's access point.
👻 darkghost [OP] · 2025-03-10 at 20:23:
Now that's a market disrupting idea if I've ever heard one! All that's missing is something AI related.
🚀 stack · 2025-03-10 at 23:29:
Yes. AI and Etherium contracts, so you can surprise your loved ones by losing all their inheritance -- or doubling it...by trading after death
🐦 wasolili [...] · 2025-03-11 at 03:05:
I think the question we all need to ask here, is why the fuck does every gadget, toy and random doohickey need wifi and bluetooth?
I would go a step further and ask why everything needs a computer in it at all. Once you've got a computer in something, justifying wifi becomes easy: "we need to enable simple software updates in case our shitty code is broken" or "automate stats tracking" or whatever
and once you've got wifi in your product, no matter how good the intentions behind including it were (though i doubt there were any good intentions in many cases), some genius business guy will say, "we can remotely disable this, right? let's switch to a subscription model. do you think we could get ads showing on this, too?"
which is probably the real answer to the "why wifi?" question for most products. An exercise bike can be completely mechanical, but throw a few dollars of electronics into it and you can show ads, integrate streaming services, brick it if a payment is missed, and charge activation fees if it's sold second-hand.
I'm surprised landlords haven't picked up on all the ways to exploit this trend by listing amenities that are actually subscription models. An in-unit washer/dryer combo that charges the tenant per use and part of that goes to the landlords bank account? That's just conniving enough to work. Throw in a refrigerator that plays ads for good measure
grumble grumble
👻 darkghost [OP] · 2025-03-11 at 11:16:
I mean I've lived in apartments where the washer had coin slots. Same thing really. And I still had to pay for the electricity to operate the damn thing.
👻 darkghost [OP] · 2025-03-11 at 16:13:
It was in the basement which is a "common area"
🌲 Half_Elf_Monk · 2025-03-11 at 17:43:
Incompetence is the majority, but conspiracies can leverage it to their own ends, so for security purposes it really makes no difference.
I suspect the impulse assimilate everything into the IoT is well-meaning hackers/makers who like the challenge. It's a fun hobby. The capitolization-for-currency is generally someone else with different aims.
Fortunately I live somewhere where there's a decent culture of secondhand stores, so I could pick up "analogue" exercise bikes for cheap... that work decently well. Or just take a walk. :)
Point of interest: Wouldn't it be great if you could buy something like an ESP32 from within your own country? Having a means of production in your own nation/people seems like a good move for security.
All that said, I'm wondering how much of a threat these commands present. If my device is compromised, this just increases the damage potential. But is this an attack vector that could compromise an otherwise secure device? (i.e., if someone puts their malicious water bottle next to my otherwise-secure coffee machine, can it establish a rogue bluetooth connection and make me demoralizingly bad coffee?)
🌲 Half_Elf_Monk · 2025-03-11 at 20:41:
@HanzBrix - Yep. And that's where the conversation shifts from the technical aspects to the "political economy" questions. Say what you will about the politicians who want to move production more locally / nationally, but it sure would be great if there were closer options. I bet people in the west could come up with appropriately competetive solutions if enough need is seen. "backdooring all your bluetooth" seems like it qualifies to me, but what do I know?
🌲 Half_Elf_Monk · 2025-03-11 at 20:49:
Brainstorming here: I wonder if it would be possible to have a thingiverse-style library of designs for PCB boards and microcontrollers, which could then be ordered through local-ish vendors who manufacture/assemble the parts for you. Making microcontrollers as small as TSMC/expressif does is amazing, but I'd rather buy a slightly slower one from a trusted source within my own country.
I'm thinking of something like JLCPCB but for microcontrollers as well as boards. That may not be possible, idk, but a half-elf-monk can hope. For example (HTTPS): https://jlcpcb.com/raspberry-pi-rp2350