Experts discovered an undocumented hidden feature in the ESP32 microchip manufactured by Espressif, which is used in over 1 billion devices.
At the RootedCON, researchers at Tarlogic Innovation presented their findings on undocumented commands in the ESP32 microchip designed by the Chinese manufacturer Espressif.
The hidden functionality could act as a backdoor, enabling impersonation attacks and persistent infections on devices like smartphones, smart locks, and medical equipment. Tarlogic also developed a tool for auditing Bluetooth device security across all operating systems.
The experts warn that a hidden feature poses a security risk for millions of IoT devices.
“Tarlogic Security has detected a hidden functionality that can be used as a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices.” reads the report published by the researchers “Exploitation of this hidden functionality would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.”
Tarlogic researchers used the BSAM methodology, introduced last year, to systematically audit Bluetooth device security.
“In the course of the investigation, a hidden feature was discovered in the ESP32 chip, used in millions of IoT devices and which can be purchased on the world’s most famous e-commerce sites for €2. It is this low cost that explains why it is present in the vast majority of Bluetooth IoT devices for domestic use.” continues the researchers. “In 2023, the manufacturer Espressif reported in a statement that one billion units of this chip had been sold worldwide to date.”
Tarlogic’s Innovation Department created BluetoothUSB, a free driver that allows researchers to conduct comprehensive Bluetooth security audits across all devices, regardless of OS or programming language. This tool eliminates the need for diverse hardware, making security testing more accessible. The researchers pointed out that BluetoothUSB aims to democratize security analysis for millions of IoT devices, helping manufacturers develop tools to test and protect Bluetooth-enabled gadgets.
The researchers discovered multiple hidden commands using the tool they created.
Through reverse engineering, Targolic researchers discovered hidden commeds (code 0x3F) in the ESP32 Bluetooth firmware. Inspecting the code, Targolic noticed that the last entry in the table references the code 0x3F that is reserved for proprietary commands. The code contains 29 undocumented HCI commands by ESP.
The researchers demonstrated how a threat actor could fully control ESP32 chips, gain persistence through RAM and Flash modification, and potentially spread to other devices using advanced Bluetooth attacks.
“We would like to clarify that it is more appropriate to refer to the presence of proprietary HCI commands—which allow operations such as reading and modifying memory in the ESP32 controller—as a “hidden feature” rather than a “backdoor.” concludes the report. “The use of these commands could facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks. Over the coming weeks, we will publish further technical details on this matter.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ESP32 microchip manufactured by Espressif)
