BleepingComputerMar 8, 2025

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.

Update 3/9/25: After receiving concerns about the use of the term "backdoor" to refer to these undocumented commands, we have updated the title of our story.

https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

Undocumented commands found in Bluetooth chip used by a billion devices

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

BleepingComputer
Show threadcat::<kleinesFilmröllchen>Mar 8, 2025
@BleepingComputer probability is high that this backdoor was put in by the radio IP block vendor, since Espressif have no control over that IP or the firmware blob they use to talk to it -- they have previously (in relation to the ESP32 WiFi reverse engineering effort) stated that they are under an NDA and are not allowed to publish the firmware sources or any documentation on the radio IP core interface. so this will most likely be news to Espressif and it will be interesting how they react.
Show threaddmi 💽 Mar 8, 2025

@filmroellchen @BleepingComputer meh, reads like a nothingburger, and so does the official publication Undocumented HCI opcodes sound scary until you learn that you need local device access to even talk with HCI. so the attack surface is limited to whatever talks with the HCI stack (which in most projects is just esp-idf/FreeRTOS.

remote exploitation PoC || GTFO

Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices

Tarlogic presents research revealing undocumented commands in the ESP32 microchip, present in millions of smart devices with Bluetooth

Tarlogic
Show threadWolf480pl
@domi @filmroellchen @BleepingComputer
do I understand correctly that this is an "if you can solder 2 wires to that chip, you can reflash its firmware" type of finding?
Mar 8, 2025 at 6:29pmWeb
Show threaddmi 💽 Mar 8, 2025

@wolf480pl @filmroellchen @BleepingComputer “if you can solder 2 wires to that chip, flash the firmware with their ‘bluetooth usb driver’ (actually a HCI bridge, from what I can gather), then you can flash custom firmware again through that custom firmware”

As for your wire estimate - you’d need 5 (SO, SI, SCK, CS, GND), or 3 (TX, RX, GND) if a HCI bridge was somehow already flashed. but close :)

Show threadWolf480plMar 8, 2025
@domi @filmroellchen @BleepingComputer
maść na szczury xD