Latest news with #Espressif
Ammon
13-03-2025
- Ammon
Undocumented commands found in Bluetooth chip used by a billion devices
Ammon News - After receiving concerns about the use of the term 'backdoor' to refer to these undocumented commands, we have updated our title and story. Our original story can be found here. The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks. The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence. This was discovered by Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security, who presented their findings yesterday at RootedCON in Madrid. "Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices," reads a Tarlogic announcement shared with BleepingComputer. "Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls." The researchers warned that ESP32 is one of the world's most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk is significant. Bleeping computer
Yahoo
11-03-2025
- Yahoo
Secret commands found in Bluetooth chip used in a billion devices
A potential security issue has been discovered by cybersecurity researchers that has the capability to affect more than one billion devices. According to researchers at the cybersecurity firm Tarlogic, a hidden command has been found coded into a bluetooth chip installed in devices around the world. This secret functionality can be weaponized by bad actors and, according to the researchers, used as an exploit into these devices. Using these commands, hackers could impersonate a trusted device and then connect to smartphones, computers, and other devices in order to access information stored on them. Bad actors can continue to utilize their connection to the device to essentially spy on users. The bluetooth chip is called ESP32 and is manufactured by the China-based company Espressif. According to researchers, the ESP32 is "a microcontroller that enables WiFi and Bluetooth connection." In 2023, Espressif reported that one billion units of its ESP32 chip had been sold globally. Millions of IoT devices like smart appliances utilize this particular ESP32 chip. SEE ALSO: New 'browser syncjacking' cyberattack lets hackers take over your computer via Chrome Tarlogic researchers say that this hidden command could be exploited, which would allow "hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls." Tarlogic says that these commands are not publicly documented by Espressif. Researchers with Tarlogic developed a new Bluetooth driver tool in order to aid in Bluetooth-related security research, which enabled the security firm to discover a total of 29 hidden functionalities that could be exploited to impersonate known devices and access confidential information stored on a device. According to Tarlogic, Espressif sells these bluetooth chips for roughly $2, which explains why so many devices utilize the component over higher costing options. As BleepingComputer reports, the issue is being tracked as CVE-2025-27840.
