This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE

March 14, 2025 by 9 Comments

We would be remiss if we didn’t address the X Distributed Denial of Service (DDoS) attack that’s been happening this week. It seems like everyone is is trying to make political hay out of the DDoS, but we’re going to set that aside as much as possible and talk about the technical details. Elon made an early statement that X was down due to a cyberattack, with the source IPs tracing back to “the Ukraine area”.

The latest reporting seems to conclude that this was indeed a DDoS, and a threat group named “Dark Storm” has taken credit for the attack. Dark Storm does not seem to be of Ukrainian origin or affiliation.

We’re going to try to read the tea leaves just a bit, but remember that about the only thing we know for sure is that X was unreachable for many users several times this week. This is completely consistent with the suspected DDoS attack. The quirk of modern DDoS attacks is that the IP addresses on the packets are never trustworthy.

There are two broad tactics used for large-scale DDoS attacks, sometimes used simultaneously. The first is the simple botnet. Computers, routers, servers, and cameras around the world have been infected with malware, and then remote controlled to create massive botnets. Those botnets usually come equipped with a DDoS function, allowing the botnet runner to task all the bots with sending traffic to the DDoS victim IPs. That traffic may be UDP packets with spoofed or legitimate source IPs, or it may be TCP Synchronization requests, with spoofed source IPs.

The other common approach is the reflection or amplification attack. This is where a public server can be manipulated into sending unsolicited traffic to a victim IP. It’s usually DNS, where a short message request can return a much larger response. And because DNS uses UDP, it’s trivial to convince the DNS server to send that larger response to a victim’s address, amplifying the attack.

Put these two techniques together, and you have a botnet sending spoofed requests to servers, that unintentionally send the DDoS traffic on to the target. And suddenly it’s understandable why it’s so difficult to nail down attribution for this sort of attack. It may very well be that a botnet with a heavy Ukrainian presence was involved in the attack, which at the same time doesn’t preclude Dark Storm as the originator. The tea leaves are still murky on this one.

Continue reading “This Week In Security: The X DDoS, The ESP32 Basementdoor, And The CamelCase RCE”

The ESP32 Bluetooth Backdoor That Wasn’t

March 10, 2025 by 39 Comments

Recently there was a panicked scrambling after the announcement by [Tarlogic] of a ‘backdoor’ found in Espressif’s popular ESP32 MCUs. Specifically a backdoor on  the Bluetooth side that would give a lot of control over the system to any attacker. As [Xeno Kovah] explains, much about these claims is exaggerated, and calling it a ‘backdoor’ is far beyond the scope of what was actually discovered.

To summarize the original findings, the researchers found a number of vendor-specific commands (VSCs) in the (publicly available) ESP32 ROM that can be sent via the host-controller interface (HCI) between the software and the Bluetooth PHY. They found that these VSCs could do things like writing and reading the firmware in the PHY, as well as send low-level packets.

The thing about VSCs is of course that these are a standard feature with Bluetooth controllers, with each manufacturer implementing a range of these for use with their own software SDK. These VSCs allow for updating firmware, report temperatures and features like debugging, and are generally documented (except for Broadcom).

Effectively, [Xeno] makes the point that VSCs are a standard feature in Bluetooth controllers, which – like most features – can also be abused. [Tarlogic] has since updated their article as well to distance themselves from the ‘backdoor’ term and instead want to call these VSCs a ‘hidden feature’. That said, if these VSCs in ESP32 chips are a security risk, then as [Xeno] duly notes, millions of BT controllers from Texas Instruments, Broadcom and others with similar VSCs would similarly be a security risk.

Low-Resolution Fluid Simulation On An ESP32

February 28, 2025 by 2 Comments

Fluid simulations are a key tool in fields from aerospace to motorsports and even civil engineering. They can be three-dimensional and complicated and often run on supercomputer clusters bigger than your house. However, you can also do simple two-dimensional fluid simulations on very simple hardware, as [mircemk] demonstrates.

This build is almost like a simple toy that displays particles rolling around and tumbling as you turn it one way or the other. Behind the scenes, an ESP32 is running the show, simulating a group of particles responding to gravity in a fluid-like manner. The microcontroller is  hooked up with an 3-axis gyroscope and accelerometer, which it uses to track motion and influence the motion of the particles in turn. The results of the simple fluid simulation are displayed on a screen made up of a 16 x 16 matrix of WS2812B addressable RGB LEDs, which add enough color to make the build suitably mesmerizing.

There’s something compelling about turning the display and watching the particles tumble and flow, particularly when they’re all set to different colors. [mircemk] also gave the build the ability to operate in several different modes, running “sand,” “liquid” and “gas” simulations and with dynamic coloring to boot.

We’ve seen some great videos from [mircemk] before, too, like this sensitive metal detector rig. Continue reading “Low-Resolution Fluid Simulation On An ESP32”

The rust language logo being branded onto a microcontroller housing

Esp-hal, A Stable-API ESP32 HAL Gift For Your Rust Code

February 27, 2025 by 14 Comments

Looking to write Rust on the ESP32? You’re in luck, a new challenger has entered the scene, looking to help you write code that lasts – [Scott Mabin] and the team from Espressif have brought us the esp-hal 1.0.0-beta. From a personal project to an Espressif-sponsored one to an effort under Espressif’s wing, [Scott] tells us about the arduous journey of bringing first-class Rust support to ESP32 chips, Xtensa and RISC-V alike.

In particular, esp-hal, with the hal part standing for Hardware Abstraction Layer, focuses on providing you with a stable API to access hardware, making sure your code can remain stable for years to come. For now, you get drivers for GPIO, UART, SPI and I2C, as well as a number of auxiliary features like time and SoC reset, more than enough for a large amount of projects we hackers build with a generic MCU in mind.

Next stop? WiFi and BLE support, of course, an ESP32 just doesn’t feel the same without these two. Rust is a fun and seriously promising language, and it’s a joy to use! So, if you have a wireless-less project in mind and you’re looking for a HAL, try out the esp-hal, it might just be exactly what you need.

If you’re looking for examples, here’s an STM32 touchpad project with Rust firmware, a PIC32 Rust blinky demo, and we’ve even featured larger projects like this ESP32 open-source (reverse-engineered) WiFi MAC stack being written in Rust. In case you missed it, we’ve introduced Rust to you a couple of times, even as far as 2015!

Octet Of ESP32s Lets You See WiFi Like Never Before

February 15, 2025 by 13 Comments

Most of us see the world in a very narrow band of the EM spectrum. Sure, there are people with a genetic quirk that extends the range a bit into the UV, but it’s a ROYGBIV world for most of us. Unless, of course, you have something like this ESP32 antenna array, which gives you an augmented reality view of the WiFi world.

According to [Jeija], “ESPARGOS” consists of an antenna array board and a controller board. The antenna array has eight ESP32-S2FH4 microcontrollers and eight 2.4 GHz WiFi patch antennas spaced a half-wavelength apart in two dimensions. The ESP32s extract channel state information (CSI) from each packet they receive, sending it on to the controller board where another ESP32 streams them over Ethernet while providing the clock and phase reference signals needed to make the phased array work. This gives you all the information you need to calculate where a signal is coming from and how strong it is, which is used to plot a sort of heat map to overlay on a webcam image of the same scene.

The results are pretty cool. Walking through the field of view of the array, [Jeija]’s smartphone shines like a lantern, with very little perceptible lag between the WiFi and the visible light images. He’s also able to demonstrate reflection off metallic surfaces, penetration through the wall from the next room, and even outdoor scenes where the array shows how different surfaces reflect the signal. There’s also a demonstration of using multiple arrays to determine angle and time delay of arrival of a signal to precisely locate a moving WiFi source. It’s a little like a reverse LORAN system, albeit indoors and at a much shorter wavelength.

There’s a lot in this video and the accompanying documentation to unpack. We haven’t even gotten to the really cool stuff like using machine learning to see around corners by measuring reflected WiFi signals. ESPARGOS looks like it could be a really valuable tool across a lot of domains, and a heck of a lot of fun to play with too.

Continue reading “Octet Of ESP32s Lets You See WiFi Like Never Before”

Google FindMy Tools Run On An ESP32

February 11, 2025 by 43 Comments

As of about a day ago, Google’s reasonably new Find My network just got more useful. [Leon Böttger] released his re-implementation of the Android tracker network: GoogleFindMyTools. Most interestingly for us, there is example code to turn an ESP32 into a trackable object. Let the games begin!

Everything is in its first stages here, and not everything has been implemented yet, but you are able to query devices for their keys, and use this to decrypt their latest location beacons, which is the main use case.

The ESP32 code appears not to support MAC address randomization just yet, so it’s possibly more trackable than it should be, but if you’re just experimenting with the system, this shouldn’t be too much of a problem. The README also notes that you might need to re-register after three days of use. We haven’t gotten to play with it just yet. Have you?

If you’re worried about the privacy implications of yet another ubiquitous tracking system out there, you’re not alone. Indeed, [Leon] was one of the people working on the Air Guard project, which let iPhone users detect trackers of all sorts around them. Anyone know if there’s something like that for Android?

Thanks [Lars] for the hot tip!

 

RC Cars With First Person Video, All With An ESP32

February 6, 2025 by 8 Comments

Those little ESP32-CAM boards which mate the WiFi-enabled microcontroller with a small parallel-interface camera module have been with us for years, and while they are undeniably cool to play with, they sometimes stretch the available performance in trying to process and stream video. [Mattsroufe] has made a very cool project with one of them, not only managing to stream video from a small model car, but also to control the steering and motor by means of servos and a little motor driver.

Sadly it’s not entirely a stand-alone device, as the ESP32 streams video to a web server with some Python code to handle the controls. The server can aggregate several of them on one page though, for perhaps a little real-life quad-screen Mario Kart action if you have enough of the things. We can see that this idea has plenty of potential beyond the mere fun of driving a toy car around though, but to whet your appetite there’s a demo video below.

We’ve seen enough of the ESP32-cam before, but perhaps more as a photographic device.

Continue reading “RC Cars With First Person Video, All With An ESP32”