Major Security Flaw: Hidden ‘Backdoor’ Found In ESP32 Microchip
The previously unknown set of low-level commands has now been discovered within the ESP32 microchip, one of the leading IoT appliances. Espressif, a Chinese company, manufactures the chip widely used to connect Wi-Fi and Bluetooth to an insane number of smart gadgets, including mobile phones, computers, smart locks, and medical devices.
As of 2023, this microchip is placed in more than a billion devices worldwide. The discovery comes from Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco of Tarlogic Security.
During their presentation at RootedCON in Madrid, the researchers revealed the existence of undocumented proprietary HCI commands from the Bluetooth firmware of the ESP32. This collection contains 29 hidden vendor-specific commands, which include Opcode 0x3F, meant for close control of Bluetooth functionality.
In a subsequent blog update, the researchers avoided calling their finds a ‘backdoor’ and instead branded these proprietary HCI commands as ‘hidden features’ that could enable memory reading and writing using ESP32 controller memories. However, there are also concerns that their discovery could probably be used for supply chain attacks and concealment of backdoors in the chipset.
The existence of undocumented commands sparks concerns about their potential misuse at OEMs and ongoing risks of supply chain vulnerabilities. Espressif has not yet published about them, presuming that they discovered these things by mistake and not inclusion as planned.
By employing these commands, memory can be manipulated into unrecommended uses to read or write from/to RAM and Flash memories. They can also be used to spoof MAC addresses, allowing an attacker to impersonate a legitimate device. These commands also enable the LMP/LLCP packet injection.
Nevertheless, considered somewhat together, these functions may not seem all that dangerous, but they can greatly assist an attacker with impersonation attacks, through security audits, or making irreversible changes to the functionality of a device after gaining access.