- Tarlogic security researchers found a hidden feature in the Bluetooth ESPC32 chip
- The affordable chip is found in millions of national IoT devices worldwide.
- The defect allowed access to malicious actors to the devices and the confidential data that advance
A low -cost Bluetooth chip that supposedly drives millions of Internet devices of things (IoT) worldwide has a “hidden characteristic” that allows those who know it, execute arbitrary commands, unlock additional functionalities and even extract sensitive information from devices.
Tarlogic cybersecurity researchers have claimed ESPC32 chips, which allow connectivity through Wi -Fi or Bluetooth, “they have hidden commands not documented by the manufacturer.”
“These commands would allow modifying the chips arbitrarily to unlock additional functionalities, infect these chips with malicious code and even carry out attacks on theft of identity devices,” they said.
Obtain confidential information
The ESP32 chip is built by a Chinese semiconductor company based in Shanghai, called Espressif. It costs approximately $ 2 per unit and, according to the manufacturer, it has been sold one billion times from its beginning until 2023.
Tarlogic says that its affordability is one of the main reasons why it is commonly found in the Bluetooth IoT devices for domestic use.
Tarlogic first described the findings as a “back door”, but then backed up in that terminology: “We would like to clarify that it is more appropriate to refer to the presence of Patented HCI commands, which allow operations such as reading and modifying memory in the ESP32 controller, as a” hidden characteristic “instead of a” rear. “
Stilil actors, threats could use these commands to execute attack chain attacks, hide rear doors on the chipset or execute more sophisticated attacks, Tarlogic added. They could impersonate known devices to connect to mobile phones, computers and intelligent devices, even when they are off -line mode.
Tarlogic said the purpose is: “to obtain confidential information stored in them, have access to personal and commercial conversations, and spy on citizens and companies.”
We have communicated with an espressif comment and we will update the article if we receive news.
