ESP32 chips used in millions of IoT devices contain hidden functionality that could lead to identity theft
Security company Tarlogic Security has reported that the ESP32 chip used for Wi-Fi and Bluetooth connections in millions of IoT devices contains hidden functionality that can be exploited to steal personal information.
Tarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices
The discovery was announced at the
According to Tarlogic Security, the discovery was made while conducting research into Bluetooth standards.
If exploited, the hidden functionality in question could allow a hostile attacker to perform a spoofing attack to persistently infect devices such as smartphones, PCs, smart home devices, and medical devices.
The ESP32 chip in question is inexpensive and easy to purchase, costing just 2 euros (about 320 yen), so it is used in many IoT devices, and manufacturer Espressif announced in 2023 that '1 billion units have been shipped to date.'
Although Tarlogic Security reported that this function was a 'backdoor,' security researcher Zeno Cova pointed out that 'the vendor-specific HCI commands to read and write controller memory (at issue) are a common design found in Bluetooth chips from other vendors, including Broadcom, Cypress, and Cypress. The vendor-specific commands effectively constitute a private API. The choice not to publicly document a private API is not a 'backdoor.''
In response to Kova's suggestion, Tarlogic Security changed its terminology from 'backdoor' to 'hidden functionality,' while BleepingComputer, a security news site that reported on the matter, changed its terminology to 'undocumented commands.'
Undocumented commands found in Bluetooth chip used by a billion devices
https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/
Related Posts:
