[gruez]

>In theory, the attacker could then use the undocumented commands to scan, spoof, or otherwise attack any near by bluetooth devices. Perhaps this could even be achieved without gaining root on the device which is hosting the esp32.

How's this any different than a laptop getting pwned and attackers being able to run aircrack-ng or whatever on it?

[20after4]

It's not that different. It might be easier than your average "pwn" and might not require root access, but this is only my hypothesis based on what's written in TFA.

[sitkack]

If it is USB, you should be able to do it directly in JS via Chrome.

[iracigt]

WebUSB requires the device to opt in via it's USB descriptors. Otherwise any USB device with firmware updates would have this problem.

Maybe an issue here is WebSerial, as HCI comes over a serial port device. I believe the OS should block access to the serial device once the host driver takes it as a Bluetooth adapter though.

[monocasa]

> WebUSB requires the device to opt in via it's USB descriptors.

IIRC, that restriction was removed.

[gruez]

>It might be easier than your average "pwn" and might not require root access

It's an IOT device. Everything's running as root.

[megadata]

> How's this any different

It's undocumented.

[gruez]

My laptop came with a 10 page quick start guide that mentions nothing about this "vulnerability". The only way to figure out whether a wifi chip can enter promiscuous mode or inject packets is by checking a wiki page maintained by volunteers.