Here is the translation into American English:
A team of researchers has discovered a hidden backdoor in the ESP32 chip, a microcontroller widely used in Internet of Things (IoT) devices, which could allow for identity theft attacks, unauthorized data access, and compromise connected devices on the network. This finding, presented at RootedCON 2025, puts over 1 billion devices worldwide at risk.
The discovery was made by cybersecurity specialists Miguel Tarascó Acuña and Antonio Vázquez Blanco from the firm Tarlogic Security, who identified 29 undocumented commands in the ESP32 firmware that could be exploited to remotely control the chip and carry out advanced attacks.
What does this vulnerability imply?
The ESP32, manufactured by Espressif, is a microcontroller that enables WiFi and Bluetooth connectivity and is found in a variety of devices, from smart appliances to medical devices and security systems. The discovered vulnerability allows for:
- Modifying the device’s RAM and Flash memory, enabling the execution of malicious code.
- Faking MAC addresses, facilitating identity theft attacks.
- Injecting low-level packets into Bluetooth communication, which opens the door to advanced attacks on the network.
According to the researchers, exploiting these commands would allow an attacker not only to compromise the device containing the ESP32 but also to expand control to other devices connected to the same network.
How was this backdoor discovered?
The Tarlogic Security team developed a Bluetooth HCI USB driver in C, designed to allow direct access to the hardware without relying on operating system APIs. With this tool, they were able to intercept and analyze Bluetooth traffic in depth, which led to the discovery of the undocumented commands.
These commands, categorized as Opcode 0x3F, allow low-level access to the microcontroller, providing full control over its wireless functions. Espressif has not publicly documented these commands, suggesting they may have been included by mistake or as an internal functionality not intended for public use.
Impact on security and potential attacks
The researchers warn that the existence of this backdoor opens the possibility of multiple attack scenarios:
- Remote exploitation through modified firmware or manipulated Bluetooth connections.
- Persistence in IoT devices, allowing an attacker to maintain access even after the system is restarted.
- Supply chain attacks, where malicious manufacturers or suppliers could exploit the vulnerability to install backdoors in devices before distribution.
- Compromise of entire networks, using the ESP32 as a point of access to launch attacks against other connected devices.
Mitigation measures
Given the global impact of this vulnerability, experts recommend a series of measures to minimize risks:
- Update the firmware of the ESP32 as soon as Espressif releases a fix.
- Restrict physical access to devices using this microcontroller.
- Implement active monitoring of Bluetooth and WiFi traffic in critical environments.
- Avoid using the ESP32 in sensitive systems until its security is guaranteed.
Will Espressif respond?
So far, Espressif has not issued an official statement regarding the presence of this backdoor in its ESP32 chips. The cybersecurity community expects the company to respond with security updates and greater transparency in the documentation of its microcontrollers.
This finding underscores the need for ongoing security audits in IoT devices, especially as their use extends to critical environments like industry, healthcare, and home security systems. Relying on hardware with hidden vulnerabilities could pose a significant security risk for millions of users worldwide.
via: Security News