Just saw this article and it looka intersting if true. Basically turnes all esp32 devices into a attact vector.
Nice!
I saw the story yesterday on /. where it was pointed out that it's a silly thing with no CVE and a hacker would have to install code on it to exploit the "vulnerability". And what exactly do we do with an ESP32? We install whatever code we wrote! And if a hacker can install code on it then s/he already has physical access to it. It's a nothing burger.
6 Likes
There is a CVE:
There is now 
I suppose malicious code could be inserted into one of the many libraries that are used by Arduino IDE, for example.
My understanding from reading the articles is that undocumented bluetooth commands were found that lead to potential attach vectors of the device. It didn't seem to have anything to do with users loading code themselves for projects. Even the CVE calls out a discovered bluetooth command to "write memory" which i suspect is a large part of the concern for malicious code being implanted over Bluetooth. They also comment about the use for one device with these commands taking over others on the bluetooth network.
