BleepingComputerMar 8, 2025

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.

Update 3/9/25: After receiving concerns about the use of the term "backdoor" to refer to these undocumented commands, we have updated the title of our story.

https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

Undocumented commands found in Bluetooth chip used by a billion devices

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

BleepingComputer
Show threadcat::<kleinesFilmröllchen>Mar 8, 2025
@BleepingComputer probability is high that this backdoor was put in by the radio IP block vendor, since Espressif have no control over that IP or the firmware blob they use to talk to it -- they have previously (in relation to the ESP32 WiFi reverse engineering effort) stated that they are under an NDA and are not allowed to publish the firmware sources or any documentation on the radio IP core interface. so this will most likely be news to Espressif and it will be interesting how they react.
Show threaddmi 💽 Mar 8, 2025

@filmroellchen @BleepingComputer meh, reads like a nothingburger, and so does the official publication Undocumented HCI opcodes sound scary until you learn that you need local device access to even talk with HCI. so the attack surface is limited to whatever talks with the HCI stack (which in most projects is just esp-idf/FreeRTOS.

remote exploitation PoC || GTFO

Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices

Tarlogic presents research revealing undocumented commands in the ESP32 microchip, present in millions of smart devices with Bluetooth

Tarlogic
Show threadkandi3kan3

@domi @filmroellchen @BleepingComputer Yep, definitely overblown. The slides are much better than the article - this functionality is interesting for exploring the layers below HCI, and the slides only mention the security aspect as a footnote.

It's only a security issue if you're directly exposing HCI to another application processor. Possible, but I'm not sure how many devices would do that - you're probably not picking an ESP32 to do Bluetooth for your embedded Linux system.

Lots of people who don't understand how Bluetooth works getting misled by the way this article was written...

Mar 9, 2025 at 1:00amWeb