Mastodawn

BleepingComputer Mar 8, 2025

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.

Update 3/9/25: After receiving concerns about the use of the term "backdoor" to refer to these undocumented commands, we have updated the title of our story.

https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

Undocumented commands found in Bluetooth chip used by a billion devices

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

BleepingComputer

cat::<kleinesFilmröllchen>Mar 8, 2025

@BleepingComputer probability is high that this backdoor was put in by the radio IP block vendor, since Espressif have no control over that IP or the firmware blob they use to talk to it -- they have previously (in relation to the ESP32 WiFi reverse engineering effort) stated that they are under an NDA and are not allowed to publish the firmware sources or any documentation on the radio IP core interface. so this will most likely be news to Espressif and it will be interesting how they react.

dmi 💽 Mar 8, 2025

@filmroellchen @BleepingComputer meh, reads like a nothingburger, and so does the official publication Undocumented HCI opcodes sound scary until you learn that you need local device access to even talk with HCI. so the attack surface is limited to whatever talks with the HCI stack (which in most projects is just esp-idf/FreeRTOS.

remote exploitation PoC || GTFO

Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices

Tarlogic presents research revealing undocumented commands in the ESP32 microchip, present in millions of smart devices with Bluetooth

Tarlogic

cat::<kleinesFilmröllchen>Mar 8, 2025

@domi @BleepingComputer true, i was not concerned with how critical this is, just with whether this is Espressif's fault and whether they know

matthew Mar 9, 2025

@filmroellchen @domi @BleepingComputer As far as I can tell, this article is just bullshit. This is not a backdoor. HCI is not spoken over the air, instead it’s the local interface between the Bluetooth chipset and the application proscessor. It’s a trusted interface.

This doesn’t look like anyone’s “fault” to me, it just looks like a completely harmless debugging feature someone who either doesn’t know what they are doing or who is chasing clout is trying to blow up into a scandal.

dmi 💽 Mar 8, 2025

@jaseg @filmroellchen @BleepingComputer yup, exactly my point. I find it cooler from a reverse-engineering if anything

kasperd Mar 8, 2025

Is this one of those cases where the device vendor is trying to prevent the buyer from doing whatever they want with the hardware they now own?

The owner of hardware being able to do more with the hardware than it was intended to do should generally not be classified as a vulnerability.

jaseg Mar 8, 2025

@kasperd it’s very much not such a case. The espressif chips are freely programmable, and espressif even supplies a decent free and mostly open source SDK. Here, these security consulting clowns really just took apart an example firmware that espressif provides for convenience so you don’t have to write your own.

You’re right, this isn’t the hardware doing anything inherently bad.

kasperd Mar 8, 2025

In that case it sounds like somewhere along the way somebody have been misrepresenting the information. The slides I found are not in a language I understand, so for now I'll not try to judge who has been misrepresenting the information.

Extra undocumented features should only be considered a vulnerability or a backdoor if they can be used for privilege escalation or similar.

jaseg Mar 8, 2025

@kasperd I read the press release on the website of the security consultancy(?) that published this, and the news article mostly just repeated that. I think that consultancy is just bullshitting for clout, which sadly isn’t that rare in this industry.

kasperd Mar 8, 2025

I see. I usually expect to find more technical information in slides and presentation. I just took another look and saw that there is indeed one more link than what I looked at previously.

I read part of that press release, but at some point I just didn't want to read any more of it. The press release are using a lot of words to say essentially nothing. They describe the impact as if they discovered a fundamental flaw in the Bluetooth protocol itself. But from the press release I learned nothing about what the supposed vulnerability is.

You have convinced me that they are exaggerating the problem. I am now quite uncertain whether there was a vulnerability in the first place.

Gus Mar 9, 2025

@jaseg @filmroellchen @domi @BleepingComputer It certainly seems like exactly this.

Without a secondary bug (that the researchers don't have), it seems like this would only become a security issue if someone made a product that exposes the HCI interface over serial (i.e. to another host embedded computer), and then used the ESP32 hardware security features to lock down the ESP32 against reprogramming. In that case, an attacker with access to that wired HCI serial interface could potentially reprogram the chip - bypassing the hardware security protections.

But almost every ESP32 in the world runs its own custom firmware and doesn't accept HCI commands over serial at all. In all those cases, this "attack" requires an arbitrary code execution exploit first... and if you have code execution, you can already do all those things and more.

(Disclaimer: I have previously worked for Espressif, but not since 2021.)

Gus Mar 9, 2025

@jaseg @filmroellchen @domi @BleepingComputer Also kind of irked that (unless I missed it in the slides) the researchers didn't try to do any responsible disclosure. This would be trivially easy to patch (the HCI command handler checks for the vendor prefix and disallows it), and that would prevent the limited use cases where this is exploitable.

I assume Espressif will patch it now it's public.

jaseg Mar 9, 2025

@projectgus @BleepingComputer yeah. Also, in the rare application where someone uses an ESP via HCI as a Bluetooth chipset for another application processor, that application processor for sure will have some way of flashing new firmware to the ESP anyway, just to perform updates.

💬Mar 9, 2025

@jaseg @filmroellchen @domi @BleepingComputer @projectgus i think the point is that this lets you turn a non-persistent code exec in the host into a persistent presence in the esp peripheral. which isn’t nothing, assuming people are running a firmware with this included.

jaseg Mar 9, 2025

@rfc6919 @BleepingComputer @projectgus In any practical application, the host will have a way to update the ESP’s firmware through the bootloader anyway. The host in this scenario is another small microcontroller soldered to the same board next to the ESP. This interface is not a security boundary, at least not in this direction.

chrysn Mar 9, 2025

@jaseg @filmroellchen @domi @BleepingComputer The vulnerability they describe does indeed look bogus, but the underlying concern is real: Users and maybe even Espressif themselves don't know what is all in there.
Fortunately they released the blobs under Apache license, so the https://esp32-open-mac.be project can work (AFAICT, Espressif even assist them where they can!). To me, that project is what paves the way toward a trusted software supply chain.

ESP32 open MAC

Building an open-source Wi-Fi MAC for the ESP32

ESP32 open MAC