I wasnt aware of this wifi blob. This feeds a tiny paranoia I have at the back of my head when dealing with esp32/espressif. I have dozens of esp32s around and I love them, but Espressif is 100% Chinese.
Im uncomfortable with what I read that every company of significant size in China automatically requires CCP party members to be involved in the company at a high level.
So Im very happy to hear people such as these guys are looking deep at this.
Ofcourse since Espressif controls the hardware, so they can do anything eventually. My itch will always be there and Im going to switch once I find something made in preferably the EU when I find something comparable to esp32. Maybe Nordic Semiconductors will make some nice risk-v chips and dev-boards soon.
It is because of FCC certification requirements.
Usually, if the end user can modify the lowlevel radio firmware on the device, the device looses it's FCC certification and cannot be sold in USA.
It also seems that Espressif has bought their wifi IP, so their contracts and licensing terms with the IP vendor likely prevent any sharing.
But FCC is the reason for closed binary blob firmware for all wifi radios out there these days.
I don't understand how the license affects certification TBH. As this post clearly shows users can implement their own stack if they really want to, it's not that the license is going to prevent them. Why can't one have an open source stack with specific builds that are approved, tested and certified?
They can, but they lose their certification. Same if you don't use a certified board your antenna might need new certification of your device. It may work, but if authorities find out it may become quite expensive.
I can also remove my lights and breaks from my car and it will still work, but if authorities find out I might be in trouble.
They could, but somebody would have to write that FOSS wifistack.
You could not run selfcompiled versions of the stack on any hardware that has been FCC certified, because if you could, the certs would be gone once again.
Wifi is shared spectrum and devices using are licenced to make sure they conform to the local regulations. One size does not fit all.
For example 2.4GHz wifi channel 13 is legal in EU, but in USA it falls on a govt owned band.
This is why companies like Mikrotik or Ubiquiti have specific hardware versions for USA.
So that they verifiably cannot be set on illegal channels by the enduser.
So it's perfectly feasible to have an open source Wifi, or Bluetooth or any other RF, stack, but only certain compiled versions are actually certified. I understand that the openness in this case would be limited: you lose the freedom to modify and run the software as you wish (unless you want to risk to break the law), but you can still help bugfix, improve the software and verify that there no backdoors / spying features.
The reason sometimes given by vendors that "FCC demands the code to be proprietary" is an excuse.
The law does state that "an intentional or unintentional radiator must be constructed such that the adjustments of any control that is readily accessible by or intended to be accessible to the user will not cause operation of the device in violation of the regulations" (https://www.law.cornell.edu/cfr/text/47/15.15 )
So if the manufacturer makes a device where changing the firmware is "readily accessible" to the user and there is an open source firmware available that can circumvent the FCC transmission restrictions (for example, change the power limits or channel limits for wifi physical layer), then that could be grounds for FF refusing to certify that device, as it is not permitted to make, import or sell general unrestricted transmitters to the general public (there are certain exceptions for licensed operators, ham radio, experimental use by manufacturers etc).
It's similar to other clauses that prohibit manufacturers from making it easy for the user to modify the equipment - e.g. 15.203 (https://www.law.cornell.edu/cfr/text/47/15.203) "the use of a standard antenna jack or electrical connector is prohibited." so that the user can't easily replace the antenna with a different one from what was certified.
Expressif also block some cool packet injection things like sending malformed packets in their firmware. Which is not illegal to offer. They probably are afraid of getting a bad reputation.
This is why open firmware can be really handy for the security community.
Given that they are originated from China, I'm not surprised.
For a while (not any more though) you can't sell an ACR122U RFID card reader online in China, just because mfoc [1] supports it nicely and it got a reputation of "smart card cloner".
Wifi is easy... there's no way to send anything undetected, since you control the routers, etc.
GSM->5G modems are a lot harder to debug... maybe now in recent years with cheaper SDRs, but a lot harder then wifi.
And not sure why you'd be afraid of CCP, we saw the wikileaks, USA does a lot of similiarly bad stuff too and even got caught doing it... and if you live in a "western" country, USA has much easier access to you than China.
There’s no point having a vague Chinese back door in Espressif devices which security researchers could discover with relative ease. The remarkable prevalence of these chips in commodity consumer goods means that they’ve likely already been analysed by countless world governments and strategic enterprises.
If the IoT ecosystem has any weak spots, it is the Tuya software stack. It would be much easier, much more useful layer to put a back door into that.
Google 'the thing' and tell me that you could have predicted what it was and how it worked. Hardware is finicky in that way: you look at one thing it can be quite another.
It's not whatboutism when there's literally no proof that they are doing mass dragnet spying on western residents. And when we do have tons of proof of western governments doing exactly just that
Again, it's a trendy buzzword to use but it literally isn't a catch all shield to argue that it's fine when we do it. When there's no proof of something happening, maybe we should focus on the thing that we know is happening instead of chasing literal ghosts
1) The activities of the US gov't have precisely nothing to do with the probability that a device from China has some backdoor or surveillance function. When someone raises this concern, the response "the USA has a history of surveiling its citizens" is not a rebuttal, it's irrelevant. Thus a whataboutism.
2) Your burden of proof might be different from mine, but one needs to be pretty naive to think that the CCP doesn't surveil western citizens. I doubt their intelligence apparatus is that bad at their job. In fact, I have plenty of reason to believe it's pretty great at it.
1) of course it does. This is an information cold war. If participant 1 is doing something then participant 2 is forced to do at least the same thing so as to ensure they don't fall behind. It's very naive to not expect the actions of one state to not affect the actions of the other.
you either intentionally or unintentionally phrased it in a way that blames unnamed participant 1. And given the context of this conversation, it seems that you blame US for CCP's inevitable spying. Seems weird given the kind of government CCP is(hint, the name).
In my opinion US is only at fault for spying on it's own citizens(im not citizen nor resident of the us), and in doing so it undermined its counter intelegence actions against state adversaries. Next time there is a good guy in the white house, All intelligence apparatus should be dismantled and replaced with something more transparent for the people, even though the reality where most of the world is despotic by design and there for hostile to a supposed to be free nation is still there.
I'm not blaming either party. I don't even know who first started it. I'm just pointing out the fallacy in the argument. That's why I explicitly used generic names instead of CCP and US Gov.
So, usa was "proven" (well.. data was leaked and believed by many to be true) to be spying on many people, both local to US and foreign... and for china, all you have is "you're naive, if you don't think they doo it too".
So, you don't mind being spied on by someone who was already caught spying on their own citizens, (assuming that you're from USA), has access to you, your finances, can lock you up, can suicide you in jail, etc., but you're afraid of china who has access to none of those powers?
It's not they do it too, it's "they are the ones who do it". There is no "too" in this context for the average western user. Unless there's proof indicating otherwise.
"Whataboutism" is trying to deflect to an utterly unrelated topic, like suddenly turning around, pointing at a tree an screaming "but what about the pine needle water content cartel?!".
It certainly isn't pointing out hypocrisy, establishing a common standard or a cureall in online discussions.
I've seen a proper "whataboutism" been used but only once (by a malfunctioning redditor from Eglin Airforce Base).
Op above me was bothered with the company being chinese, and I was pointing out the hypocracy because the chinese didn't get caught at a level nearly as bad as US did with wikileaks and that for most people in the west, it's better that the chinese find out that you did something bad than if your own intelligence agencies find out.
Learn more about Espressif's founder. And I think the CCP party cannot impact Espressif.
-------
Singapore’s bilingual education gave the engineer an adequate command of Chinese; he played translator for his Chinese and non-Chinese speaking staff in meetings during Espressif’s early days.
And the time he spent in national service with the Singapore Armed Forces taught him the importance of being in the front line, of knowing the ground well.
The CEO believes that entrepreneurship cannot be taught. One needs to have a head for risk-taking, creativity, a big-picture perspective, and to be prepared to fail.
And passion, of course.
He has a nugget of wisdom for those who have yet to find theirs: “There are two things that drive people... One is passion, the other is fear... If you lose that fear, you might find your passion.”
Your paranoia about the Chinese is equally applicable to Americans, whose NSA has given itself carte-blanche to infiltrate any computing system it desires, for whatever reason, in total secrecy - without recourse for the public to address any wrongs.
So I'm not sure that framing your paranoia in terms of "the Chinese" is productive - you might just want to update that thought with "any state actor who operates covert torture sites and violates human rights at immense scale", in which case your set of actually hostile actors becomes a little more realistic.
The biggest threat to your freedom and human rights, as an American, is your own government.
> Your paranoia about the Chinese is equally applicable to Americans, whose NSA has given itself carte-blanche to infiltrate any computing system it desires, for whatever reason, in total secrecy - without recourse for the public to address any wrongs.
Yes, except the China also 'infiltrate' Chinese companies themselves, and can perhaps order them to put in backdoors.
The NSA generally does not order US companies around, as evidenced by the fact it's been documented that they intercept shipments and compromise the systems on their own:
If the NSA had an 'in' into Cisco (or Juniper, or Aruba, etc), they wouldn't need to clandestinely have their own 'compromise factories'.
Yes, both the Chinese and NSA do cyber stuff, but so does every country. At the very least the odds of getting a 'clean' product from an American supplier compared to a Chinese one are higher: the links between Chinese companies and government are often murky.
>Yes, except the China also 'infiltrate' Chinese companies themselves, and can perhaps order them to put in backdoors.
As does the USA's own spy agencies. There is literally no moral authority on this issue that can be claimed by America over China. Did you overlook the multiple NSA backdoors implemented by Microsoft over the years, or just have not caught up to this situation, yet? See also - Intel: TPM.
>The NSA generally does not order US companies around
I believe this to be false on the basis of multiple whistleblower leaks which demonstrate otherwise. Not to mention that American companies have evolved the canary mechanism as a means of bypassing strict secrecy rules around disclosure of this influence by the spooks.
>At the very least the odds of getting a 'clean' product from an American supplier compared to a Chinese one are higher: the links between Chinese companies and government are often murky.
I do not believe this to be true one bit. China and America are equivalent when it comes to trustworthiness, which is to say neither country has the moral authority to claim a more ethical behaviour over the other when it comes to human rights.
China doesn't operate Pine Gap - the worlds biggest, wholesale violator of human rights at massive scale, ever.
I think that is a very, very naive point of view. There are countless examples of this happening - probably they're not on your radar because your nation was the recipient of the stolen goods ..
The USA regularly uses its intelligence apparatus to undermine economy and industry in other countries. I would even say, at a far greater rate, with worse results (for the targets) than anything China or Russia are doing ..
The mass violation of human rights for billions of people (literally) that occurs every millisecond of the day at Pine Gap on behalf of the American government, for example, demonstrates that this naivete is very, very dangerous.
> The USA regularly uses its intelligence apparatus to undermine economy and industry in other countries. I would even say, at a far greater rate, with worse results (for the targets) than anything China or Russia are doing ..
This was my point. How often does it use its power to undermine the US economy or industry in the US?
NSA is infamous for its involvement in stealing trade secrets and generally cooperating clandestinely to for example ensure US company wins the bid. And the competition is often supposed US allies.
It also rather infamously claimed it never partakes in industrial espionage, despite it being somewhat well documented in 1990s that they do.
Generally, if the contract is big enough, and specially if the companies involved have military/intelligence ties otherwise as well (every bigger MIC corp), you can expect ITC, NSA, CIA and occasionally FBI and others to all be involved in unethical work related to getting the contract won by US vendor.
> NSA is infamous for its involvement in stealing trade secrets and generally cooperating clandestinely to for example ensure US company wins the bid. And the competition is often supposed US allies.
This was my point. They don't steal trade secrets in order to harm US companies.
Some old Realtek switch chips featured a protocol called RRCP[1] where you could write to the hardware registers using a specific type of Ethernet frame. So I guess a CCP-designed backdoor would probably detect a specially encrypted WiFi packet and allow then internal memory of the device to be written/read over the air. The key would be hardwired into the chip, part of the random logic - so there will be no visible block to identify on visual inspection of the die.
Or more subtly they could insert (or just not fix) a bug which allows packet descriptors to be overwritten on reception of a certain malformed WiFi packet, e.g. too short or long, which makes it possible to overwrite regions of the device's memory and thus compromise it. A SDR might be required to transmit the malformed packet(s).
By the way, I wonder if modern Realtek switch chips might still support RRCP, and an undocumented EEPROM bit or strapping resistor might re-enable it?
Many modern Realtek chips still support RRCP. You just need to enable it.
For example for RTL8370N:
Register 0x18d6 configures the 16-bit key, 0x18d4 selects which ports can use it (0xFF for all, normally only the cpu port), 0x18d3=0x1 enables it.
You can write these registers via the management interface or via the EEPROM. It will not respond to discovery packets, but get and set packets work fine.
This chip also has a 8051 core that can access the internal bus and can tx/rx network packets. To use it you either attach external SPI flash (large program) or write the program into the internal RAM in the chip (small program).
Thanks for that, I wonder how many switches out there have it enabled inadvertently, because of a mistake by the manufacturer?
By the way, Some of the Broadcom chips have an integrated 8051, with on-chip ROM firmware. There are leaked datasheets floating around somewhere as well. If someone has the time to dump the on-chip ROM, it would be interesting to see what's in there.
Note, some of the pins marked NC in the datasheet are in fact the 8051 UART TX/RX lines.
> No trust for Chinese products from Chinese companies
That's fair but Espressif is wayyyyyyy more open than ANY Western chip maker. The entire framework and toolchains are open-source for one thing. You get listings and sometimes pseudo-code for the internal ROMs (though no code). You get full access to datasheets, technical reference, and sdk documentation. Everything in their SDK is documented. You even get help on github. All of that accessible to anyone anywhere at any time.
Contrast that to the last time I worked with Nordic in a professional manner, I had to sign NDAs to get the full documentation and toolchain. Their toolchain contained binary blobs that when inquired about you get told "don't worry about it ;)" which is shockingly frustrating when a crash occurs in them and you're left trying to work around it. And if you're not a professional you're basically SOL and left with half-baked community toolchains, when they exist for a particular chip.
> Contrast that to the last time I worked with Nordic in a professional manner, I had to sign NDAs to get the full documentation and toolchain
That has to be at least 5 years ago, but even back then, 99% of their software was out in the open. Now, their SDK is open source, their official toolchain is based on the Linux Foundation's Zephyr toolchain and their docs are open and buildable. Their support is done on an open forum and complete data sheets are available both as PDFs and (with the exception of the nRF51) as web pages. They aren't allowed to publish their LTE stack because of operator licensing, their Bluetooth link layer is still distributed as a library and some upcoming SoCs aren't publicly available yet, but aside from this, they're as open as they can possibly be.
If I'm not mistaken a very significant part of that is due to hobbyist interest in the chips, not in the least by Sprite_tm (also a HN user, now employed by Espressif).
The ESP8266 essentially started out as a wifi modem, responding to AT commands transmitted over serial, but going from there to a full standalone device relied on a lot of work by enthusiasts[0] and a leaked proprietary SDK[1].
Sure, but if one in a million people bothers to check what it is actually sending through their router, then any malicious activity would get detected and disclosed to the public - and since that hasn't happened, we can assume that it isn't happening on a large scale.
Some stick them on unrouted lans. But that may not preclude mesh like activity between restricted and unrestricted ESP-32's that are close enough to see each other.
Tbf I think China is more interested in the money espressif makes than anything like spying. Because they'd be so easily caught out by anyone with a decent router. And if they ever happened then the whole company would be gibbed.
So... you are basing your fears on just that, hunches and yet presumably your own government is spying on others and maybe you but that doesnt bother you because USA /five eyes are the "good guys"
No, the general assumption should be that any nation state will take advantage of this kind of opportunity, regardless of whether they are Western or Eastern.
How are the two not equivalent? If anything, for anyone living in the west it's probably less of an issue to have China spy on them than a western government. Sure, at a state security level it's not but for regular individuals I sure would rather have China spy on me since they can't do anything to me directly.
> You have at least some civil rights in those countries
I'm sure the lads that spent decades in Guantanamo with no charges brought against them after being kidnapped based on their watch model will be very glad to hear they have civil rights.
26000 people's internet history was looked with a fine tooth comb in order to find that one IP which had viewed tom and jerry on youtube. youtube wouldnt give information but ISPs are by law or otherwise willing to "help" the police because its a "my way or highway" rule with the government.
so my point is, did i consent to this snooping? i am "supposed" to have laws but "think of the children". next time it is political opponents or dissidents as has been the case.
this isn't just in india or china or usa but everywhere.
I mean, sure yeah don't go to China. That's a pretty solid advice. But again, that's irrelevant for the average western user. Even with civil rights, the potential to get hurt by a western government while living in the west is orders of magnitude more probable than getting anything from the CCP or China. But yeah don't do layovers in China if you are a dissident, though I don't think that's an especially common scenario
I use a Chinese phone with a Chinese ROM. I installed Google service as apps, with limited permissions. I'd rather have Uncle Xi listening than Uncle Sam.
Im uncomfortable with what I read that every company of significant size in China automatically requires CCP party members to be involved in the company at a high level.
So Im very happy to hear people such as these guys are looking deep at this.
Ofcourse since Espressif controls the hardware, so they can do anything eventually. My itch will always be there and Im going to switch once I find something made in preferably the EU when I find something comparable to esp32. Maybe Nordic Semiconductors will make some nice risk-v chips and dev-boards soon.