Espressif’s popular ESP32 microchip, which is embedded in over a billion devices, has been identified with an undocumented “backdoor” in its Bluetooth firmware. This revelation was made by Spanish researchers from Tarlogic Security during RootedCON in Madrid.
The ESP32 is a low-cost, low-power system-on-chip (SoC) highly regarded for its Wi-Fi and Bluetooth capabilities, making it suitable for Internet of Things (IoT) and embedded systems. Tarlogic’s findings indicate that the ESP32’s hidden commands enable attackers to spoof trusted devices, access sensitive information, pivot through networks, and establish persistent malware infections, affecting a broad range of devices from smart locks to medical equipment.
During their investigation, Tarlogic uncovered 29 secret vendor-specific commands in the ESP32’s Bluetooth firmware. These commands permit low-level memory manipulation, MAC address spoofing, and packet injection. Accessed through Opcode 0x3F, these functions provide attackers with raw control over Bluetooth traffic, circumventing standard operating system security measures.
Espressif has not clarified if this was an error or a deliberate inclusion. This uncertainty raises concerns among security professionals regarding the vulnerability of IoT devices utilizing the ESP32 and whether firmware updates can mitigate the potential risks.
However, some analysts, including Xeno Kovah, argue that the characterization of this issue as a “backdoor” is exaggerated. Kovah states that the identified vendor-specific commands (VSCs) are standard features in Bluetooth controllers, with each manufacturer implementing these features as part of their software development kits (SDKs). These VSCs facilitate firmware updates and provide debugging capabilities, and they are generally documented, although some companies like Broadcom do not fully disclose them.
Following this feedback, Tarlogic amended their report, opting to refer to the VSCs as “hidden features” rather than a backdoor. Kovah also points out that the presence of similar VSCs in numerous Bluetooth controllers from other companies like Texas Instruments and Broadcom suggests a wider security concern if these VSCs are recognized as vulnerabilities.
Featured image credit: Espressif
