My read because I’ve been asked many times and need to sleep
The caveats and needs for further research the team notes are very honest. It’s hard to really calculate risk here because most vectors are physical and impact will vary by device and manufacturers.
@hacks4pancakes The article overplays it: By their own writing it seems to be an issue of the shipped BLE stack by the default Espressif SDK. Realistically many smaller projects are using it, but most major ones use alternative ones understanding the concept or "limited resources" or "cleaning up after execution".
Also this seems like debugging expressions left in production code - bad as it is, IIRC this ooopsie happens more often than you think. As long as you update your stuff regularly...
@simonmicro I’m not sure it’s over dramatic, they are careful to add caveats. Like I say, it’s just a goofy, extended, incalculable vuln in specific physical vectors.
@hacks4pancakes @simonmicro You already have the ability to do arbitrary code execution. That's game over for embedded devices already, I don't see how this makes things worse than they already are.
@bananarama @hacks4pancakes @simonmicro It can make things worse if you expose HCI over UART and don't expect it to effectively give access to device's memory.
That seems like a very niche case though.
