Jiska
Broadcom and Cypress chips have the same HCI "backdoor" allowing to write to the Bluetooth chip's RAM. This feature is used for firmware patches. We didn't request CVEs for that 9 years ago. Instead, we built the InternalBlue Bluetooth research framework. https://github.com/seemoo-lab/internalblue
Tarlogic
🔷 A backdoor in the ESP32 chip would allow it to infect millions of devices. Miguel Tarascó and @antonvblanco have revealed this at the @rootedcon this backdoor and presented a tool to perform Bluetooth security audits on any gadget. https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/