183
Undocumented backdoor found in Bluetooth chip used by a billion devices
(www.bleepingcomputer.com)
this post was submitted on 08 Mar 2025
183 points (98.9% liked)
Cybersecurity
6552 readers
59 users here now
c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
- Be respectful. Everyone should feel welcome here.
- No bigotry - including racism, sexism, ableism, homophobia, transphobia, or xenophobia.
- No Ads / Spamming.
- No pornography.
Community Rules
- Idk, keep it semi-professional?
- Nothing illegal. We're all ethical here.
- Rules will be added/redefined as necessary.
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities !databreaches@lemmy.zip !netsec@lemmy.world !securitynews@infosec.pub !cybersecurity@infosec.pub !pulse_of_truth@infosec.pub
Notable mention to !cybersecuritymemes@lemmy.world
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
So i think 29 undocumented commands are far too many for a mistake..
Maybe, maybe not. Keep in mind that opcodes are the lowest-level part of the programming stack. They're literally just integers transmitted on the system bus. So if you've got, for example, 35 operations that you're actually trying to implement, you need 2^n^ ≥ 35 or n = 6 signal lines in your bus to transmit it. But since 2^6^ = 64, that means it's possible to put another 29 values on that 6-bit bus, with completely undefined behavior unless you go out of your way to handle them in the instruction decoder (increasing the size and therefore cost of your silicon, which is very undesirable in an embedded chip that sells for less than $1).
It is not at all implausible for one of those undefined instructions to just happen to do something that an attacker would find useful, by sheer coincidence.
Couldn't they just designate them as no-op codes?
Yes, but to do that they have to be decoded and handled. That's basically what the commenter above was saying.
The original 6502 had many undocumented opcodes for this reason, and developers stated exploiting them for various reasons. The CMOS 65C02 redefined them to no-op. This has been going on a long time.
It amazing how there is an endless supply of these "coincidence"
Well, yeah. That's because it's inherent to how CPUs work. Every single CPU on the planet has undefined opcodes, unless the number of defined ones just happens to be a power of two.
Probably why Android and apps are constantly asking me to turn on Bluetooth when I dont want or need it.
Not that this chip is in my phone, but it begins to seem like a pattern.
Maybe bouncer is something for you
Looks like bouncer is no longer available.
https://play.google.com/store/apps/details?id=com.samruston.permission
I do have Graphene which can do something similar. or maybe its an Android 15 feature?
Per app, there is a toggle to revoke an app's permission after an unspecified(?) period of time.
"Manage app if unused"
You lucky nexus owner. I wish GrapheneOS could be flashed on more smartphones. Yeah so that definitely reads like the feature that bouncer provides and if that's anchored at the system level the Graphene solution is guaranteed to be better too. Either way, it offers a lot of good functions that you can't simply make available on another Android via root.
Edit: I also forgot that Bouncer needs root to be fully functional.
i gather that's why they're referring to the discovery as a 'backdoor'
why do you think both android and ios always trying to keep BT turned on?
For android, location services doesn't work properly without Bluetooth on, so that could be related
I know BT will help location services, I am not sure what you mean will not work properly?
It won't pin location quick enough?
Iirc, precise location queries don't return values without the BT radio enabled. Works the other way too, the app needs location permission to discover bt devices in proximity and location must be enabled at the system level.
step 1 Tracking and profilling step 2 selling data step 3 profit
Android and ios use completely different methods. For example, they listen to frequencies that are inaudible to us and, for example, TV advertising plays an inaudible sound as a trigger for Android/IOs in addition to the audible sound. To impose targeted advertising in order to allocate devices even without a network, etc. They wouldn't actually need backdoors as they get more than enough information as it is. But I don't want to imply that I don't expect backdoors there, because this has been proven in any case and often enough.