Aardvark Daily

Please visit the sponsor!

A huge vulnerability?

These days, a huge amount of our consumer electronics is made in China.

Everything from low-cost wifi-based security cameras through TV sets, home audio systems, cheap tablets, phones and the like are all of Chinese origin.

We love to buy these things because they're affordable and functional.

Sure, you can buy "brand name" gear at twice the price but in many instances, they're also made in China.

There could be a significant vulnerability associated with these Chinese-made smart devices however.

According to this report a set of "undocumented commands" has been found in one of the most popular Bluetoot/Wifi chips often used in cheap consumer electronics.

The ESP32 has become almost a defacto standard as a low-cost microcontroller with cheap and efficient wireless connectivity. I think I've probably got at least a dozen ESP32-based devices around here right now.

Speculation is already rife that these undocumented commands may be a deliberate attempt to provide "backdoor" access to the billion-plus products that have these chips fitted in them.

Opinion seems divided over whether these undocumented instructions could be used to perform a remote access attack but clearly they could be used as part of a supply-chain attack.

With this in mind it's worth considering the level of vulnerability that our reliance on Chinese-sourced hi-tech could represent.

Just last week a new botnet that harnessed the power of almost 90,000 IoT Internet of Things (IoT) devices made headlines and this could be just the tip of the iceberg.

As "connected" microcontroller-based smart devices become even more ubiquitous, the risks associated with having secret back-doors controlled by potentially hostile nations should be ringing alarm bells.

What better way to confuse and distract an enemy than by turning all their smart appliances and devices into a botnet that saturates their local internet, effectively disconnecting them from each other and the rest of the world? Or maybe worse... perhaps these devices are simply sitting their listening and passing on useful information.

A few years ago it would have been pointless to collect such massive amounts of information because the time taken to analyse, filter and process it would have made its use impractical. However, with modern AI systems, all that data could be thrown into an LLM or other model that could then be interrogated very easily with a typed or spoken command.

Sadly, we live in a world where this is not just a wild fantasy but potentially a harsh reality. Global tensions are at an all-time high and cyberattacks are very much a part of the modern battlefield.

Perhaps the most valuable thing you could own, going forward, is a firewall built using "known safe" components running open source code that's been thoroughly and independently vetted for back doors. Sadly, I don't know where you'd find this -- it may not even exist.

Carpe Diem folks!

Please visit the sponsor!

Here is a PERMANENT link to this column

Rank This Aardvark Page

Change Font