Researchers have uncovered a proprietary undocumented command in Chinese manufacturer Espressif’s ESP32 chips that could be exploited, to the potential detriment of millions of users.
The ESP32 chip allows connectivity through Wifi or Bluetooth and can be found in millions of the Internet of Things (IoT) devices. At RootedCON, a notable Spanish cybersecurity conference in Madrid, Miguel Tarascó and Antonio Vázquez, researchers at Tarlogic, presented their discovery of commands within the ESP32 that could grant access and make it possible for bad actors to gain control of users’ devices.
According to their findings, these commands could allow an attacker to make changes to enable more functions, install malware, and even cause a device to impersonate another. Highlighting the threat of impersonation, the researchers revealed that hackers could make their devices appear like trusted devices. Hackers can then connect to victims’ smartphones or computers and gain unauthorized access. Having gained access, it becomes easy to eavesdrop on conversations, steal data, and spy on users or their companies. Even worse, malicious actors can still operate while the victims’ devices are offline.
In a blog post, the researchers subsequently offered clarification, describing the command not as a “backdoor feature” but a “hidden feature” and that if exploited, “the commands could facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks.”
Tarlogic also presented a security tool called BluetoothUSB, which it believes will make it easier and cheaper to test the security of Bluetooth devices. According to the company, the software is unique because it’s free and performs a comprehensive security test on all kinds of devices, notwithstanding its operating system or programming language, and obviates the requirement for different types of hardware for the test.
The company has promised further updates to provide technical details on its discovery in the weeks ahead.