<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>FatFs on Smart Home? Sure — But Secure!</title><link>https://smarthome-aber-sicher.de/en/tags/fatfs/</link><description>Recent content in FatFs on Smart Home? Sure — But Secure!</description><generator>Hugo -- gohugo.io</generator><language>en</language><lastBuildDate>Thu, 09 Jul 2026 00:00:00 +0200</lastBuildDate><atom:link href="https://smarthome-aber-sicher.de/en/tags/fatfs/index.xml" rel="self" type="application/rss+xml"/><item><title>Plug In a USB Stick, Own the Device – the FatFs Flaw</title><link>https://smarthome-aber-sicher.de/en/blog/2026/07/09/fatfs-cve-2026/</link><pubDate>Thu, 09 Jul 2026 00:00:00 +0200</pubDate><guid>https://smarthome-aber-sicher.de/en/blog/2026/07/09/fatfs-cve-2026/</guid><description>&lt;img src="https://smarthome-aber-sicher.de/blog/2026/07/09/fatfs-cve-2026/cover.jpg" alt="Featured image of post Plug In a USB Stick, Own the Device – the FatFs Flaw" /&gt;&lt;p&gt;It was one of those moments where I stop mid-scroll through the news feed. A headline, half technical, half sensational – and a gut feeling that instantly says: &lt;em&gt;Oh no. I&amp;rsquo;m going to have to make a video about this again.&lt;/em&gt;&lt;/p&gt;
&lt;p&gt;The story: security researchers had found seven flaws in a piece of software most people have never heard of. The name sounded harmless – &lt;strong&gt;FatFs&lt;/strong&gt;. But the deeper I read, the clearer it became: this isn&amp;rsquo;t some niche topic for firmware nerds. This tiny piece of code sits inside &lt;strong&gt;millions&lt;/strong&gt; of devices. Very likely in your home, too. And the way these flaws were found honestly gave me goosebumps.&lt;/p&gt;
&lt;p&gt;So: grabbed a tea, opened the research doc, set up the camera. Here&amp;rsquo;s the whole story.&lt;/p&gt;
&lt;div class="video-wrapper"&gt;
&lt;div class="video-placeholder" data-embed="https://www.youtube-nocookie.com/embed/bLoQb63tEHg?autoplay=1" onclick="loadYtIframe(this)"&gt;
&lt;img src="https://smarthome-aber-sicher.de/maxresdefault_10329901374376856212_hu_92ada0334869f14c.jpg" alt="YouTube Video" loading="lazy"&gt;
&lt;div class="play-button"&gt;&lt;/div&gt;
&lt;div class="privacy-notice"&gt;
To load the video, please click the image. Please note that by doing so, data will be transmitted to YouTube.
&lt;/div&gt;
&lt;/div&gt;
&lt;/div&gt;
&lt;h2 id="the-nightmare-in-one-sentence"&gt;The nightmare in one sentence
&lt;/h2&gt;&lt;p&gt;Imagine someone plugs an ordinary USB stick into your device. They don&amp;rsquo;t type anything, don&amp;rsquo;t open a file, don&amp;rsquo;t crack a password or bypass a firewall. They just plug it in. And in that very moment, the device no longer belongs to you – it belongs to them.&lt;/p&gt;
&lt;p&gt;That&amp;rsquo;s exactly what the most dangerous of these flaws makes possible. No sophisticated network attack, no stolen password – a rigged storage medium is enough. And the crazy part: the code that makes this possible is probably running in a device in your home right now.&lt;/p&gt;
&lt;h2 id="what-even-is-fatfs"&gt;What even is FatFs?
&lt;/h2&gt;&lt;p&gt;&lt;strong&gt;FatFs&lt;/strong&gt; is a free, platform-independent software module written in C. Its only job: to teach a device how to read and write &lt;strong&gt;FAT- and exFAT-formatted&lt;/strong&gt; USB sticks and SD cards.&lt;/p&gt;
&lt;p&gt;Sounds trivial. But it&amp;rsquo;s exactly what you need when a device doesn&amp;rsquo;t have a full operating system like your laptop does. Your security camera, your ESP32 hobby project, an industrial controller, a drone – none of these have a Windows or Linux kernel to read the USB stick for them. They need a small, lean driver that handles exactly that. And very often that driver is FatFs.&lt;/p&gt;
&lt;p&gt;Because FatFs is so small, so free, and so reliable, it&amp;rsquo;s baked into the &lt;strong&gt;base kits&lt;/strong&gt; (SDKs) that countless devices build upon – not just hobby projects, but finished products sold in the millions worldwide. A tiny building block with a gigantic reach.&lt;/p&gt;
&lt;h3 id="the-sore-spot-maintained-by-a-single-person"&gt;The sore spot: maintained by a single person
&lt;/h3&gt;&lt;p&gt;And here&amp;rsquo;s the first part that gives you pause. FatFs is essentially maintained by &lt;strong&gt;one single person&lt;/strong&gt; – the Japanese developer known by the handle &amp;ldquo;ChaN&amp;rdquo;. No security team. No security mailing list. No vulnerability reporting channel. No CVE history.&lt;/p&gt;
&lt;p&gt;One person, as a volunteer, looks after code that runs in millions of devices. That&amp;rsquo;s not a criticism of that person – on the contrary, it&amp;rsquo;s an admirable contribution to the common good. But it&amp;rsquo;s the core of the problem we&amp;rsquo;re about to hit. (If you want the pattern behind this: it&amp;rsquo;s &lt;a class="link" href="https://xkcd.com/2347/" target="_blank" rel="noopener"
&gt;exactly the kind of &amp;ldquo;lonely dependency in the foundation&amp;rdquo; that xkcd nailed in a legendary 2020 comic&lt;/a&gt;.)&lt;/p&gt;
&lt;h2 id="the-most-dangerous-flaw-cve-2026-6682"&gt;The most dangerous flaw: CVE-2026-6682
&lt;/h2&gt;&lt;p&gt;Each of these vulnerabilities gets a unique ID and a severity score – a number between 0 and 10. The worst of the seven is &lt;strong&gt;CVE-2026-6682&lt;/strong&gt;, rated &amp;ldquo;high&amp;rdquo; with a &lt;strong&gt;CVSS score of 7.6&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;What happens technically? Here it is, without the jargon:&lt;/p&gt;
&lt;p&gt;When your device reads a memory card, it &lt;strong&gt;blindly trusts&lt;/strong&gt; the size values stored on the medium for each file. It does its math with those numbers to find its way around the card – which file sits where, how long it is, where to read.&lt;/p&gt;
&lt;p&gt;Now the attacker writes &lt;strong&gt;completely absurd numbers&lt;/strong&gt; onto a manipulated SD card. The device does its math with them anyway, because it trusts the card. And in doing so, &lt;strong&gt;the calculation overflows&lt;/strong&gt; – a so-called integer overflow. A bit like an old odometer rolling over from 9,999 back to 0. Except here it&amp;rsquo;s not the counter that breaks – the device suddenly starts writing to a &lt;strong&gt;completely wrong location in memory&lt;/strong&gt;.&lt;/p&gt;
&lt;p&gt;And that&amp;rsquo;s exactly what an attacker can exploit to inject their own malicious code. The researchers at runZero put it bluntly:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&amp;ldquo;Every physical access is a jailbreak.&amp;rdquo;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;Why does this work so reliably? Because small IoT devices almost never have the protections your PC has long had: no random shuffling of memory addresses (ASLR), often no real memory protection. What would fail at several hurdles on a modern PC sails right through on a bare microcontroller.&lt;/p&gt;
&lt;h3 id="not-just-one-flaw--seven"&gt;Not just one flaw – seven
&lt;/h3&gt;&lt;p&gt;CVE-2026-6682 is the most spectacular, but it doesn&amp;rsquo;t come alone. There are seven vulnerabilities in total (CVE-2026-6682 through -6688), and three of them have code-execution potential:&lt;/p&gt;
&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;CVE&lt;/th&gt;
&lt;th&gt;Short description&lt;/th&gt;
&lt;th&gt;Impact&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;6682&lt;/strong&gt; ⭐&lt;/td&gt;
&lt;td&gt;Integer overflow on FAT32 mount&lt;/td&gt;
&lt;td&gt;Code execution (RCE), CVSS 7.6&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;6683&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Division by zero (exFAT)&lt;/td&gt;
&lt;td&gt;Crash / denial of service&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;6684&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Infinite loop on partition scan&lt;/td&gt;
&lt;td&gt;Device hangs on mount&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;6685&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Integer underflow in cache&lt;/td&gt;
&lt;td&gt;Silent data corruption&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;6686&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Uninitialized memory after seek&lt;/td&gt;
&lt;td&gt;Old, deleted data readable&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;6687&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Stack overflow via exFAT label&lt;/td&gt;
&lt;td&gt;Code execution (esp. STM32)&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;strong&gt;6688&lt;/strong&gt;&lt;/td&gt;
&lt;td&gt;Overflow via long filename&lt;/td&gt;
&lt;td&gt;Code execution&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;
&lt;p&gt;The common denominator across all seven: FatFs &lt;strong&gt;blindly trusts&lt;/strong&gt; the metadata on the storage medium – file size, label length, partition count – and does its math with it without ever checking whether the values are even plausible.&lt;/p&gt;
&lt;h2 id="how-big-is-the-blast-radius"&gt;How big is the blast radius?
&lt;/h2&gt;&lt;p&gt;Now the key question: does this even affect me?&lt;/p&gt;
&lt;p&gt;Among the affected projects is &lt;strong&gt;Espressif&amp;rsquo;s ESP-IDF&lt;/strong&gt; – the development foundation for the famous &lt;strong&gt;ESP32 chips&lt;/strong&gt;. And if you know my channel, you know these chips are &lt;em&gt;everywhere&lt;/em&gt;. In &lt;strong&gt;ESPHome&lt;/strong&gt; devices, in &lt;strong&gt;Shellys&lt;/strong&gt;, in countless hobby projects – but also in masses of commercial off-the-shelf products. I&amp;rsquo;ve already made &lt;a class="link" href="https://smarthome-aber-sicher.de/en/post/esphome-cve-2025/" &gt;several videos about ESP security flaws&lt;/a&gt;, and it just doesn&amp;rsquo;t stop.&lt;/p&gt;
&lt;p&gt;The researchers verified &lt;strong&gt;17 concrete projects&lt;/strong&gt; that contain vulnerable FatFs code:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;espressif/esp-idf&lt;/strong&gt; (ESP32) – the basis of ESPHome, Tasmota, Shelly &amp;amp; co.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;STM32Cube&lt;/strong&gt; – in countless industrial and consumer devices&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Zephyr RTOS&lt;/strong&gt; and &lt;strong&gt;MicroPython&lt;/strong&gt; – growing IoT platforms&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;ArduPilot&lt;/strong&gt; – flight control for drones&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Keystone3&lt;/strong&gt; – a hardware crypto wallet (this is about real money)&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Samsung TizenRT&lt;/strong&gt;, RT-Thread, Mbed, RIOT, NodeMCU and more&lt;/li&gt;
&lt;/ul&gt;
&lt;p&gt;Explicitly named as an attack target: &lt;strong&gt;security cameras with an SD card slot&lt;/strong&gt;. Exactly the kind of camera many of us have hanging by the front door, in the garage, or in the stairwell.&lt;/p&gt;
&lt;p&gt;And here&amp;rsquo;s the truly insidious part: you can&amp;rsquo;t even easily check whether your specific device is affected. Because which manufacturer writes on the box which filesystem driver they&amp;rsquo;ve buried deep in their firmware? Nobody does. So the honest rule of thumb is: &lt;strong&gt;if you own an embedded device with an SD card or USB slot, assume in case of doubt that it could be affected.&lt;/strong&gt;&lt;/p&gt;
&lt;h2 id="the-real-twist-an-ai-found-the-flaws"&gt;The real twist: an AI found the flaws
&lt;/h2&gt;&lt;p&gt;Now comes the part that made me want to do this video in the first place. Because &lt;em&gt;how&lt;/em&gt; these flaws were found is almost more interesting than the flaws themselves.&lt;/p&gt;
&lt;p&gt;These same researchers had already looked at FatFs once before – back in &lt;strong&gt;2017&lt;/strong&gt;. Back then they combed through the code by hand with human experts and fuzzed it for days. The result: a few minor bugs. Nothing earth-shattering.&lt;/p&gt;
&lt;p&gt;Now, in early 2026 – almost ten years later – they look at the same code again. But this time with a new helper: &lt;strong&gt;GitHub Copilot&lt;/strong&gt;, an AI coding assistant of the kind developers now use by the millions every day. No specialized attack framework, no elaborate fuzzing pipeline. The plain default mode in VS Code, with a few simple prompts.&lt;/p&gt;
&lt;p&gt;And suddenly out tumbled flaws that &lt;strong&gt;nobody had seen in 2017 – even though the vulnerable code already existed back then.&lt;/strong&gt; An off-the-shelf AI with a few simple prompts uncovered it within days.&lt;/p&gt;
&lt;p&gt;The researchers&amp;rsquo; sentence that gave me goosebumps:&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;&amp;ldquo;If we can uncover issues like these through the thoughtful use of AI-assisted vulnerability research, then just about anyone else can too.&amp;rdquo;&lt;/p&gt;
&lt;/blockquote&gt;
&lt;p&gt;And that is the real story. Here it&amp;rsquo;s the good guys who used the tool – and who reported their findings responsibly. But we have to assume that just as many others are doing the exact same thing right now. And they most certainly don&amp;rsquo;t publish their findings.&lt;/p&gt;
&lt;p&gt;The barrier to finding flaws in the &amp;ldquo;long tail&amp;rdquo; of old, long-overlooked code has just &lt;strong&gt;collapsed&lt;/strong&gt;. For defenders and attackers alike.&lt;/p&gt;
&lt;h2 id="the-second-shock-theres-no-patch"&gt;The second shock: there&amp;rsquo;s no patch
&lt;/h2&gt;&lt;p&gt;&amp;ldquo;Alright,&amp;rdquo; you might think, &amp;ldquo;then an update will come and it&amp;rsquo;s sorted.&amp;rdquo; And that&amp;rsquo;s exactly where the next problem lies.&lt;/p&gt;
&lt;p&gt;Remember the one-man project? The researchers contacted the maintainer back &lt;strong&gt;in March 2026&lt;/strong&gt;, several times since. They even brought in &lt;strong&gt;JPCERT/CC&lt;/strong&gt; – Japan&amp;rsquo;s coordination center for security vulnerabilities. The response to date: &lt;strong&gt;radio silence.&lt;/strong&gt;&lt;/p&gt;
&lt;p&gt;That means there&amp;rsquo;s no central patch to simply roll out. &lt;strong&gt;Every single project&lt;/strong&gt; that builds on FatFs – ESP-IDF, Zephyr, STM32Cube, MicroPython and all the rest – now has to find the flaws itself, fix them itself, and then ship the updates to its own devices. And the manufacturers of those devices in turn have to follow suit.&lt;/p&gt;
&lt;p&gt;The researchers therefore estimate the window until widespread remediation in &lt;strong&gt;years, not days or weeks&lt;/strong&gt;.&lt;/p&gt;
&lt;h2 id="staying-honest-the-physical-access-fallacy"&gt;Staying honest: the &amp;ldquo;physical access&amp;rdquo; fallacy
&lt;/h2&gt;&lt;p&gt;And now let&amp;rsquo;s take a breath. Because here comes the part many sensational headlines leave out – and where most people make a thinking error.&lt;/p&gt;
&lt;p&gt;This attack requires &lt;strong&gt;physical access&lt;/strong&gt;. The manipulated card or stick actually has to be plugged into the device. This is explicitly &lt;strong&gt;not&lt;/strong&gt; the &amp;ldquo;a hacker breaks into your camera from the internet tonight&amp;rdquo; scenario. If a device sits safely in your home and no stranger can reach it, such a jailbreak isn&amp;rsquo;t a catastrophe.&lt;/p&gt;
&lt;p&gt;There&amp;rsquo;s even a fair objection I keep reading in the comments on other reports: for &amp;ldquo;locked-down&amp;rdquo; devices you own yourself, being able to jailbreak them via USB is arguably more of a &lt;strong&gt;feature&lt;/strong&gt; than a threat. There&amp;rsquo;s something to that.&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;But&lt;/strong&gt; – and here&amp;rsquo;s the thinking error – there very much are situations where this hits you hard:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Used devices.&lt;/strong&gt; You buy a camera or hobby device secondhand and don&amp;rsquo;t know what&amp;rsquo;s on the included memory card.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Cameras in accessible spots.&lt;/strong&gt; Doorbell, garage, stairwell, office building – anywhere someone could quickly swap an SD card.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The unattended moment.&lt;/strong&gt; A cleaner, a technician, a visitor. A few seconds of physical access is enough. In security this is called &amp;ldquo;evil maid&amp;rdquo;.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;The supply chain.&lt;/strong&gt; Rigged storage media that arrive already manipulated.&lt;/li&gt;
&lt;/ol&gt;
&lt;p&gt;So this isn&amp;rsquo;t an apocalyptic scenario. It&amp;rsquo;s about &lt;strong&gt;realistically assessing your own threat model&lt;/strong&gt; – instead of panicking or reflexively dismissing the whole thing.&lt;/p&gt;
&lt;h2 id="your-smart-home-survival-tips"&gt;Your smart home survival tips
&lt;/h2&gt;&lt;p&gt;You can barely verify whether a device is affected. But you&amp;rsquo;re not powerless:&lt;/p&gt;
&lt;ol&gt;
&lt;li&gt;&lt;strong&gt;Install updates.&lt;/strong&gt; I say it in every other video – but that&amp;rsquo;s exactly what updates are for. As soon as Espressif, ESPHome or your camera manufacturer follows up: install, don&amp;rsquo;t dismiss.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Think about which devices strangers can reach.&lt;/strong&gt; Not every device is equally exposed. The camera on the outside wall is a different risk than the sensor in your living room.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Always reset and reflash used devices&lt;/strong&gt; before letting them into your network. You never know what the previous owner left on them.&lt;/li&gt;
&lt;/ol&gt;
&lt;h2 id="the-real-lesson"&gt;The real lesson
&lt;/h2&gt;&lt;p&gt;In the end, this one flaw isn&amp;rsquo;t the big story. FatFs will get fixed, sooner or later. The real lesson is a different one:&lt;/p&gt;
&lt;p&gt;&lt;strong&gt;AI has driven the cost of finding bugs like these to near zero.&lt;/strong&gt; Code that flew under the radar for ten years is now uncovered in days – by off-the-shelf tools anyone can use. That&amp;rsquo;s good news when the good guys are faster. And unsettling news when they&amp;rsquo;re not.&lt;/p&gt;
&lt;p&gt;Over the coming years we&amp;rsquo;ll see &lt;strong&gt;a lot more&lt;/strong&gt; reports like this. That&amp;rsquo;s exactly why this video mattered so much to me.&lt;/p&gt;
&lt;hr&gt;
&lt;h2 id="sources--further-reading"&gt;Sources &amp;amp; further reading
&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;&lt;strong&gt;runZero – original report:&lt;/strong&gt; &lt;a class="link" href="https://www.runzero.com/blog/fatfs-bugs/" target="_blank" rel="noopener"
&gt;Seven FatFs bugs, one very large blast radius&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;runZero – research repo with PoC &amp;amp; details:&lt;/strong&gt; &lt;a class="link" href="https://github.com/runZeroInc/vulns-2026-fatfs-chance" target="_blank" rel="noopener"
&gt;vulns-2026-fatfs-chance&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Risky Business:&lt;/strong&gt; &lt;a class="link" href="https://news.risky.biz/risky-bulletin-fatfs-bugs-enable-physical-access-attacks-on-a-load-of-devices/" target="_blank" rel="noopener"
&gt;FatFs bugs enable physical access attacks on a load of devices&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;FatFs – official project page:&lt;/strong&gt; &lt;a class="link" href="http://elm-chan.org/fsw/ff/00index_e.html" target="_blank" rel="noopener"
&gt;elm-chan.org/fsw/ff&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;h2 id="more-on-the-blog"&gt;More on the blog
&lt;/h2&gt;&lt;ul&gt;
&lt;li&gt;&lt;a class="link" href="https://smarthome-aber-sicher.de/en/post/esphome-cve-2025/" &gt;ESPHome security flaw: critical CVE hits all ESP32 devices&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;
&lt;hr&gt;
&lt;p&gt;&lt;strong&gt;Do you find AI hunting for security flaws more reassuring or more unsettling?&lt;/strong&gt; Let me know in the comments – I&amp;rsquo;m curious about your take.&lt;/p&gt;
&lt;blockquote&gt;
&lt;p&gt;Note: Links marked with &lt;em&gt;affiliate link&lt;/em&gt; are affiliate links. As an Amazon Associate I earn from qualifying purchases. This means I receive a small commission if you purchase through these links — at no extra cost to you. The revenue helps me run this blog and YouTube channel and keep creating content. Thank you for your support!&lt;/p&gt;&lt;span class="cite"&gt;&lt;span&gt;― &lt;/span&gt;&lt;span&gt;Joachim&lt;/span&gt;&lt;cite&gt;&lt;/cite&gt;&lt;/span&gt;&lt;/blockquote&gt;</description></item></channel></rss>