Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions. "Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer. "In a context where you can compromise an IOT device with as ESP32 you will be able to hide an APT inside the ESP memory and perform Bluetooth (or Wi-Fi) attacks against other devices, while controlling the device over Wi-Fi/Bluetooth," explained the researchers to BleepingComputer. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence. HCI is pretty much the front door of a Bluetooth chip, the low level API your application uses to operate Bluetooth , if you’ve not secured access to that channel on your application these commands are the least of your worries . Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs. In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection. Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the commands might be possible via malicious firmware or rogue Bluetooth connections. The researchers warned that ESP32 is one of the world's most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant. In their RootedCON presentation, the Tarlogic researchers explained that interest in Bluetooth security research has waned but not because the protocol or its implementation has become more secure. There's no easy fix to this without replacing all ESP32 hardware, assuming Espressif bothers with a fixed hardware revision, OEMs issue a recall, and users even know they have a proverbial time bomb waiting for bot-net inclusion or network pivot. Once you have developed a driver you can gain remote access by other means, trigger your privilege elevation and drop your substitute ESP32 driver in place for whatever shennanigans you intend. Update 3/9/25: After receiving concerns about the use of the term 'backdoor' to refer to these undocumented commands, we have updated our title and story. The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks. This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid. Instead, most attacks presented last year didn't have working tools, didn't work with generic hardware, and used outdated/unmaintained tools largely incompatible with modern systems. This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access. Secondly, Bluetooth is very short distance communication for ESP32 chip, the communication distance is less than 10 meters. What systems do not have a back door? Linux, AIX, Solaris all have back doors, any systems administrators can run a number of tools to capture your password, unless the commands are protected by our software.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Sun, 09 Mar 2025 12:30:22 +0000