A team of Spanish researchers has discovered an undocumented “backdoor” in the ESP32 microchip, used by over 1 billion devices worldwide. The backdoor allows spoofing of trusted devices, unauthorized data access, and potentially establishing long-term persistence. Espressif, the manufacturer of the chip, has not publicly documented these commands, leaving them vulnerable to exploitation.
The researchers, from Tarlogic Security, developed a new tool that enables direct access to Bluetooth traffic, revealing hidden vendor-specific commands in the ESP32 firmware. These 29 undocumented commands can be used for memory manipulation, MAC address spoofing, and packet injection, making them potentially useful for malicious implementations or supply chain attacks.
While physical access to the device’s USB or UART interface is riskier, a compromised IoT device with the ESP32 chip could hide malware and perform Bluetooth attacks against other devices. The researchers warn that exploiting this vulnerability could allow hostile actors to conduct impersonation attacks, infect sensitive devices, and bypass code audit controls.
Espressif has not commented on the findings, but the discovery highlights the need for improved security measures in IoT devices. As one commenter noted, the vast majority of people and organizations are unaware of the chip sets in their devices, making this vulnerability particularly concerning.
Source: https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/