Undocumented Hidden Feature Found in Espressif ESP32 Microchip

In a groundbreaking discovery, researchers at Tarlogic Innovation have uncovered an undocumented hidden feature in the ESP32 microchip manufactured by Espressif. The ESP32 is widely used in over 1 billion devices, including smartphones, smart locks, and medical equipment, making this finding particularly alarming.

The RootedCON presentation revealed that the hidden functionality could be exploited to enable impersonation attacks and persistent infections on these devices, posing a significant security risk for millions of IoT devices. Tarlogic developed a tool called BluetoothUSB, which allows researchers to conduct comprehensive Bluetooth security audits across all devices, regardless of operating system or programming language.

The discovery was made using the BSAM methodology, introduced last year, and involved a systematic audit of Bluetooth device security. The researchers found that the hidden feature, code-named 0x3F, is present in millions of IoT devices that can be purchased on popular e-commerce sites for as little as €2.

"In the course of the investigation, we discovered a hidden feature in the ESP32 chip, used in millions of IoT devices and which can be purchased on the world's most famous e-commerce sites for €2," said the researchers. "It is this low cost that explains why it is present in the vast majority of Bluetooth IoT devices for domestic use."

According to Espressif, one billion units of the ESP32 chip have been sold worldwide as of 2023. This figure highlights the widespread use of the microchip and the potential consequences of its vulnerability.

The researchers demonstrated how a threat actor could fully control ESP32 chips, gain persistence through RAM and Flash modification, and potentially spread to other devices using advanced Bluetooth attacks. While it is essential to note that the presence of proprietary HCI commands does not necessarily constitute a backdoor, these findings do raise significant concerns about supply chain attacks, the concealment of backdoors in the chipset, or more sophisticated attacks.

"We would like to clarify that it is more appropriate to refer to the presence of proprietary HCI commands—which allow operations such as reading and modifying memory in the ESP32 controller—as a 'hidden feature' rather than a 'backdoor,'" concludes the report. "The use of these commands could facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks."

Following this discovery, Tarlogic plans to publish further technical details on the matter. In the meantime, users and manufacturers are advised to take proactive measures to protect their devices from potential vulnerabilities.

"We aim to democratize security analysis for millions of IoT devices, helping manufacturers develop tools to test and protect Bluetooth-enabled gadgets," said the researchers. "Our tool, BluetoothUSB, eliminates the need for diverse hardware, making security testing more accessible and empowering a wider range of experts to contribute to the development of secure systems."

The discovery of this undocumented hidden feature serves as a stark reminder of the importance of ongoing research and development in the field of cybersecurity. As IoT devices continue to proliferate, it is essential that manufacturers and users prioritize security and take proactive steps to protect themselves against emerging threats.