Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
anymouse123456 2 hours ago

Since the Snowden leaks in 2013, it just doesn't make sense that *any* foreign customers would put US technology inside their firewall. But they do.

It shocks me even more that any Western customer would do the same with network-connected Chinese chips. But we do.

The Espressif chips are truly incredible value, but what are we doing here?

Is there any doubt that these don't represent a major attack surface if a conflict were to heat up?

If you had network-connected chips of your own design inside every household of your adversary, what could you do with that?

khalic 2 hours ago | parent [-]

It’s not like creating a chip gives you unfettered access to it. You _can_ add 0-day flaws and backdoors, but these can be discovered, leaked, etc. Has there been any case of such a backdoor built in consumer chips like theses? I’m not talking about CIA ops like snowden described, that’s supply chain interception. I mean, has anybody ever found such a backdoor?

xondono 24 minutes ago | parent [-]

Well, that depends on what you count as a backdoor, but Espressif has had some questionable flaws:

- Early (ESP8622) MCUs had weak security, implementation flaws, and a host of issues that meant an attacker could hijack and maintain control of devices via OTA updates.

- Their chosen way to implement these systems makes them more vulnerable. They explicitly reduce hardware footprint by moving functionality from hardware to software.

- More recently there was some controversy about hidden commands in the BT chain, which were claimed to be debug functionality. Even if you take them at their word, that speaks volumes about their practices and procedures.

That’s the main problem with these kinds of backdoors, you can never really prove they exist because there’s reasonable alternative explanations since bugs do happen.

What I can tell you is that every single company I’ve worked which took security seriously (medical implants, critical safety industry) not only banned their use on our designs, they banned the presence of ESP32 based devices on our networks.

khalic 14 minutes ago | parent [-]

You can hide malicious intent, so the repeated negligence patterns you’re pointing out make a better signal. Smart. Thx for the perspective