Groups | Search | Server Info | Login | Register

Groups > comp.security.misc > #1556

Undocumented commands found in Bluetooth chip used by a billion devices

Show all headers | View raw

Update 3/9/25: After receiving concerns about the use of the term 
'backdoor' to refer to these undocumented commands, we have updated our 
title and story. Our original story can be found here.

The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif 
and used by over 1 billion units as of 2023 contains undocumented 
commands that could be leveraged for attacks.

The undocumented commands allow spoofing of trusted devices, 
unauthorized data access, pivoting to other devices on the network, and 
potentially establishing long-term persistence.

This was discovered by Spanish researchers Miguel Tarascó Acuña and 
Antonio Vázquez Blanco of Tarlogic Security, who presented their 
findings yesterday at RootedCON in Madrid.

"Tarlogic Security has detected a backdoor in the ESP32, a 
microcontroller that enables WiFi and Bluetooth connection and is 
present in millions of mass-market IoT devices," reads a Tarlogic 
announcement shared with BleepingComputer.

"Exploitation of this backdoor would allow hostile actors to conduct 
impersonation attacks and permanently infect sensitive devices such as 
mobile phones, computers, smart locks or medical equipment by bypassing 
code audit controls."

The researchers warned that ESP32 is one of the world's most widely 
used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of 
Things) devices, so the risk is significant[...]

https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

-- 

Eduardo.M - Brasil
=================

Back to comp.security.misc | Previous | Next | Find similar

Thread

Undocumented commands found in Bluetooth chip used by a billion devices Internetado <internetado@alt119.net> - 2025-03-10 15:43 -0300

csiph-web