Top Bluetooth chip security flaw could put a billion devices at risk worldwide

(Image credit: Shutterstock)

Security researchers Tarlogic found a hidden feature in the ESPC32 Bluetooth chip
The affordable chip is found in millions of domestic IoT devices worldwide
The flaw allowed malicious actors access to the devices and sensitive data coming through

A low-cost Bluetooth chip which allegedly powers millions of Internet of Things (IoT) devices around the world has a “hidden feature” that allows those who know of it, to run arbitrary commands, unlock additional functionalities, and even extract sensitive information from the devices.

Cybersecurity researchers at Tarlogic have claimed ESPC32 chips, which allow connectivity via WiFi or Bluetooth, “have hidden commands not documented by the manufacturer.”

“These commands would allow modifying the chips arbitrarily to unlock additional functionalities, infecting these chips with malicious code, and even carrying out attacks of identity theft of devices," they said.

Obtaining confidential information

The ESP32 chip is built by a Chinese semiconductor company headquartered in Shanghai, called Espressif. It costs approximately $2 per unit and, according to the manufacturer, has been sold a billion times from its inception to 2023.

Tarlogic says that its affordability is one of the main reasons why it is so commonly found in Bluetooth IoT devices for domestic use.

Tarlogic first described the findings as a “backdoor”, but later backtracked on that terminology: “We would like to clarify that it is more appropriate to refer to the presence of proprietary HCI commands—which allow operations such as reading and modifying memory in the ESP32 controller—as a “hidden feature” rather than a “backdoor.”,” it said.

Stil, threat actors could use these commands to run supply chain attacks, hide backdoors in the chipset, or execute more sophisticated attacks, Tarlogic added. They could impersonate known devices to connect to mobile phones, computers, and smart devices, even when they’re in offline mode.

Tarlogic said the purpose is, “to obtain confidential information stored on them, to have access to personal and business conversations, and to spy on citizens and companies.”

We have reached out to Espressif for a comment and will update the article if we hear back.

This Find My exploit lets hackers track any Bluetooth device – here’s how you can stay safe
We've rounded up the best password managers
Take a look at our guide to the best authenticator app

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.