1. Forum
  2. Newsgroups
  3. comp.misc

  • undocumented backdoor found in ESP32

    From Salvador Mirzo@smirzo@example.com to alt.2600,comp.misc on Sat Mar 8 21:23:19 2025
    From Newsgroup: comp.misc

    Undocumented "backdoor" found in Bluetooth chip used by a billion devices
    Bill Toulas March 8, 2025 11:12 AM

    The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif
    and used by over 1 billion units as of 2023 contains an undocumented
    "backdoor" that could be leveraged for attacks.

    The undocumented commands allow spoofing of trusted devices,
    unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.

    This was discovered by Spanish researchers Miguel Tarascó Acuña and
    Antonio Vázquez Blanco of Tarlogic Security, who presented their
    findings yesterday at RootedCON in Madrid.

    "Tarlogic Security has detected a backdoor in the ESP32, a
    microcontroller that enables WiFi and Bluetooth connection and is
    present in millions of mass-market IoT devices," reads a Tarlogic
    announcement shared with BleepingComputer.

    "Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as
    mobile phones, computers, smart locks or medical equipment by bypassing
    code audit controls."

    The researchers warned that ESP32 is one of the world's most widely used
    chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things)
    devices, so the risk of any backdoor in them is significant.

    In their RootedCON presentation, the Tarlogic researchers explained that interest in Bluetooth security research has waned but not because the
    protocol or its implementation has become more secure.

    Instead, most attacks presented last year didn't have working tools,
    didn't work with generic hardware, and used outdated/unmaintained tools
    largely incompatible with modern systems.

    Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the
    hardware without relying on OS-specific APIs.

    Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the
    ESP32 Bluetooth firmware that allow low-level control over Bluetooth
    functions.

    In total, they found 29 undocumented commands, collectively
    characterized as a "backdoor," that could be used for memory
    manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

    Espressif has not publicly documented these commands, so either they
    weren't meant to be accessible, or they were left in by mistake.

    The risks arising from these commands include malicious implementations
    on the OEM level and supply chain attacks.

    Depending on how Bluetooth stacks handle HCI commands on the device,
    remote exploitation of the backdoor might be possible via malicious
    firmware or rogue Bluetooth connections.

    This is especially the case if an attacker already has root access,
    planted malware, or pushed a malicious update on the device that opens
    up low-level access.

    In general, though, physical access to the device's USB or UART
    interface would be far riskier and a more realistic attack scenario.

    "In a context where you can compromise an IOT device with as ESP32 you
    will be able to hide an APT inside the ESP memory and perform Bluetooth
    (or Wi-Fi) attacks against other devices, while controlling the device
    over Wi-Fi/Bluetooth," explained the researchers to BleepingComputer.

    "Our findings would allow to fully take control over the ESP32 chips and
    to gain persistence in the chip via commands that allow for RAM and
    Flash modification."

    "Also, with persistence in the chip, it may be possible to spread to
    other devices because the ESP32 allows for the execution of advanced
    Bluetooth attacks."

    BleepingComputer has contacted Espressif for a statement on the
    researchers' findings, but a comment wasn't immediately available.

    Update 3/8/25: Added statement from Tarlogic.

    Source: <https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/>

    --- Synchronet 3.20c-Linux NewsLink 1.2
  • From John McCue@jmccue@qball.jmcunx.com to comp.misc on Sun Mar 9 15:38:18 2025
    From Newsgroup: comp.misc

    In comp.misc Salvador Mirzo <smirzo@example.com> wrote:
    Undocumented "backdoor" found in Bluetooth chip used by a billion devices Bill Toulas March 8, 2025 11:12 AM

    The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif
    and used by over 1 billion units as of 2023 contains an undocumented "backdoor" that could be leveraged for attacks.

    Looks like there is more than meets the eye:

    This refutes the claim that researchers found a "backdoor" https://darkmentor.com/blog/esp32_non-backdoor/

    <snip>

    YMMV
    --
    [t]csh(1) - "An elegant shell, for a more... civilized age."
    - Paraphrasing Star Wars
    --- Synchronet 3.20c-Linux NewsLink 1.2
  • From not@not@telling.you.invalid (Computer Nerd Kev) to comp.misc on Mon Mar 10 07:36:03 2025
    From Newsgroup: comp.misc

    John McCue <jmccue@qball.jmcunx.com> wrote:
    In comp.misc Salvador Mirzo <smirzo@example.com> wrote:
    Undocumented "backdoor" found in Bluetooth chip used by a billion devices
    Bill Toulas March 8, 2025 11:12 AM

    The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif
    and used by over 1 billion units as of 2023 contains an undocumented
    "backdoor" that could be leveraged for attacks.

    Looks like there is more than meets the eye:

    This refutes the claim that researchers found a "backdoor" https://darkmentor.com/blog/esp32_non-backdoor/

    Yes it's an odd definition of backdoor where the attacker must
    already have full control over the device via the HCI commands
    which are how bluetooth controllers are controlled by a host
    system. The "backdoor" is that the host system can give the
    bluetooth controller some extra debugging commands, but security
    over the device's behavior has already been lost by the time an
    attacker is able to send standard HCI commands anyway.

    Also the "C-based USB Bluetooth driver" by Tarlogic, which sounds
    like a cross-platform equivalent for what you can do on Linux with
    Wireshark, is beside the point because they found the undocumented
    HCI commands by reverse engineering the ESP32 ROM downloaded from
    GitHub, not by looking at USB communications. That seems to be just
    an ad for their product.

    This does demonstrate the case for open-source firmware on such
    devices as Bluetooth controllers, which would allow these details
    to be discovered without someone needing an incentive to invest in reverse-engineering the binary ROMs. It's a better ad for
    open-source firmware than for Tarlogic's USB Bluetooth driver.
    Except that nobody(?) does open-source Bluetooth controller
    firmwares to begin with.
    --
    __ __
    #_ < |\| |< _#
    --- Synchronet 3.20c-Linux NewsLink 1.2
  • From nospam@nospam@example.net to comp.misc on Sun Mar 9 22:37:27 2025
    From Newsgroup: comp.misc

    This message is in MIME format. The first part should be readable text,
    while the remaining parts are likely unreadable without MIME-aware tools.

    --8323328-746219053-1741556249=:28252
    Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8BIT



    On Sun, 9 Mar 2025, John McCue wrote:

    In comp.misc Salvador Mirzo <smirzo@example.com> wrote:
    Undocumented "backdoor" found in Bluetooth chip used by a billion devices
    Bill Toulas March 8, 2025 11:12 AM

    The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif
    and used by over 1 billion units as of 2023 contains an undocumented
    "backdoor" that could be leveraged for attacks.

    Looks like there is more than meets the eye:

    This refutes the claim that researchers found a "backdoor" https://darkmentor.com/blog/esp32_non-backdoor/

    <snip>

    YMMV

    From the site:

    'Vendor-specific commands in Bluetooth effectively constitute a “private API”, and a company’s choice to not publicly document their private API does not constitute a “backdoor”.'

    Strange argument.

    If I buy a system, with an undocumented API that let's other people into
    my system, without me wanting this, I would consider it a backdoor.

    --8323328-746219053-1741556249=:28252--
    --- Synchronet 3.20c-Linux NewsLink 1.2
  • From Salvador Mirzo@smirzo@example.com to comp.misc on Mon Mar 10 03:30:04 2025
    From Newsgroup: comp.misc

    not@telling.you.invalid (Computer Nerd Kev) writes:

    John McCue <jmccue@qball.jmcunx.com> wrote:
    In comp.misc Salvador Mirzo <smirzo@example.com> wrote:
    Undocumented "backdoor" found in Bluetooth chip used by a billion devices >>> Bill Toulas March 8, 2025 11:12 AM

    The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif
    and used by over 1 billion units as of 2023 contains an undocumented
    "backdoor" that could be leveraged for attacks.

    Looks like there is more than meets the eye:

    This refutes the claim that researchers found a "backdoor"
    https://darkmentor.com/blog/esp32_non-backdoor/

    Yes it's an odd definition of backdoor where the attacker must
    already have full control over the device via the HCI commands
    which are how bluetooth controllers are controlled by a host
    system. The "backdoor" is that the host system can give the
    bluetooth controller some extra debugging commands, but security
    over the device's behavior has already been lost by the time an
    attacker is able to send standard HCI commands anyway.

    Thanks for this explanation. Apologies if I bought into misinformation
    here. Nevertheless, I think the report is healthy---the very post at darkmentor.com answers ``it depends'' when they ask whether it's a
    security vulnerability.

    I think the healthiest thing from hardware vendors is to document
    *everything*, although they have the right to reserve whatever they want
    for future changes, say. (Even if this doesn't work well in practice
    for the hardware vendors themselves; my perspective here is merely
    security.)

    Also the "C-based USB Bluetooth driver" by Tarlogic, which sounds
    like a cross-platform equivalent for what you can do on Linux with
    Wireshark, is beside the point because they found the undocumented
    HCI commands by reverse engineering the ESP32 ROM downloaded from
    GitHub, not by looking at USB communications. That seems to be just
    an ad for their product.

    It could be. Well observed.

    This does demonstrate the case for open-source firmware on such
    devices as Bluetooth controllers, which would allow these details
    to be discovered without someone needing an incentive to invest in reverse-engineering the binary ROMs. It's a better ad for
    open-source firmware than for Tarlogic's USB Bluetooth driver.
    Except that nobody(?) does open-source Bluetooth controller
    firmwares to begin with.

    Totally agreed.
    --- Synchronet 3.20c-Linux NewsLink 1.2