BleepingComputerMar 8, 2025

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.

Update 3/9/25: After receiving concerns about the use of the term "backdoor" to refer to these undocumented commands, we have updated the title of our story.

https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

Undocumented commands found in Bluetooth chip used by a billion devices

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

BleepingComputer
Show threadcat::<kleinesFilmröllchen>Mar 8, 2025
@BleepingComputer probability is high that this backdoor was put in by the radio IP block vendor, since Espressif have no control over that IP or the firmware blob they use to talk to it -- they have previously (in relation to the ESP32 WiFi reverse engineering effort) stated that they are under an NDA and are not allowed to publish the firmware sources or any documentation on the radio IP core interface. so this will most likely be news to Espressif and it will be interesting how they react.
Show threaddmi đź’˝ Mar 8, 2025

@filmroellchen @BleepingComputer meh, reads like a nothingburger, and so does the official publication Undocumented HCI opcodes sound scary until you learn that you need local device access to even talk with HCI. so the attack surface is limited to whatever talks with the HCI stack (which in most projects is just esp-idf/FreeRTOS.

remote exploitation PoC || GTFO

Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices

Tarlogic presents research revealing undocumented commands in the ESP32 microchip, present in millions of smart devices with Bluetooth

Tarlogic
Show threadcat::<kleinesFilmröllchen>Mar 8, 2025
@domi @BleepingComputer true, i was not concerned with how critical this is, just with whether this is Espressif's fault and whether they know
Show threadjasegMar 8, 2025

@filmroellchen @domi @BleepingComputer As far as I can tell, this article is just bullshit. This is not a backdoor. HCI is not spoken over the air, instead it’s the local interface between the Bluetooth chipset and the application proscessor. It’s a trusted interface.

This doesn’t look like anyone’s “fault” to me, it just looks like a completely harmless debugging feature someone who either doesn’t know what they are doing or who is chasing clout is trying to blow up into a scandal.

Show threadkasperd

Is this one of those cases where the device vendor is trying to prevent the buyer from doing whatever they want with the hardware they now own?

The owner of hardware being able to do more with the hardware than it was intended to do should generally not be classified as a vulnerability.

Mar 8, 2025 at 6:33pmWeb
Show threadjasegMar 8, 2025

@kasperd it’s very much not such a case. The espressif chips are freely programmable, and espressif even supplies a decent free and mostly open source SDK. Here, these security consulting clowns really just took apart an example firmware that espressif provides for convenience so you don’t have to write your own.

You’re right, this isn’t the hardware doing anything inherently bad.

Show threadkasperdMar 8, 2025

In that case it sounds like somewhere along the way somebody have been misrepresenting the information. The slides I found are not in a language I understand, so for now I'll not try to judge who has been misrepresenting the information.

Extra undocumented features should only be considered a vulnerability or a backdoor if they can be used for privilege escalation or similar.

Show threadjasegMar 8, 2025
@kasperd I read the press release on the website of the security consultancy(?) that published this, and the news article mostly just repeated that. I think that consultancy is just bullshitting for clout, which sadly isn’t that rare in this industry.
Show threadkasperdMar 8, 2025

I see. I usually expect to find more technical information in slides and presentation. I just took another look and saw that there is indeed one more link than what I looked at previously.

I read part of that press release, but at some point I just didn't want to read any more of it. The press release are using a lot of words to say essentially nothing. They describe the impact as if they discovered a fundamental flaw in the Bluetooth protocol itself. But from the press release I learned nothing about what the supposed vulnerability is.

You have convinced me that they are exaggerating the problem. I am now quite uncertain whether there was a vulnerability in the first place.