Attackers can use undocumented commands to hijack Chinese-made Bluetooth chips
Safety researchers have shared particulars of newly found, undocumented instructions in ESP32 Bluetooth firmware that may be exploited by an attacker. The Chinese language-made chip is present in thousands and thousands of units, that means the findings are important.
Talking at RootedCON in Madrid, researchers from Tarlogic Safety, Miguel Tarascó Acuña and Antonio Vázquez Blanco, described the “hidden performance” they’ve unearthed as a backdoor, however later conceded that this can be a deceptive description. They warn that exploitation might permit “hostile actors to conduct impersonation assaults and completely infect delicate units reminiscent of cell phones, computer systems, sensible locks or medical gear by bypassing code audit controls”.
See additionally:
The ESP32 chip is extremely cheap, and this accounts for its widespread use. The producer of the {hardware}, Espressif, has reported over one billion models have been bought, and a typical utilization is in IoT units. The undocumented instructions will be executed from macOS, Home windows and Linux, opening up quite a few beginning factors for an assault.
Whereas initially described as a “backdoor” the undocumented instructions have been later described as having “hidden performance”. The change in language stems from the truth that particular person instructions don’t themselves pose a danger – though the listing of instructions has but to be revealed, for apparent causes.
The difficulty is being tracked as CVE-2025-27840 the place is has the next description:
Espressif ESP32 chips permit 29 hidden HCI instructions, reminiscent of 0xFC02 (Write reminiscence).
The invention got here as a part of a wider investigation into the Bluetooth normal. As a part of this analysis, a safety auditing instruments have been developed, because the safety agency explains:
Tarlogic’s Innovation Division has developed BluetoothUSB, a driver that permits safety exams and assaults to be carried out to realize full safety audits on all types of units whatever the working system or programming language and with out the necessity for all kinds of {hardware} to hold out all of the exams in an audit, all freed from cost.
BluetoothUSB goals to facilitate growth and democratize entry to the instruments wanted to research the safety of the Bluetooth normal in thousands and thousands of IoT units. Due to this software program, it’s potential for producers to develop instruments to carry out their exams on all types of Bluetooth devices.
The researchers’ findings will be learn in full here (Spanish)
Picture credit score: Tarlogic Security
