You’ve probably been talking about something at some point, a trip, a trick you saw on TikTok, and suddenly, all the ads that appear on your Facebook page and all the videos you see are related to what you were talking about. Sure, right? Imagine now enjoying your speaker, your watch, your cell phone… or even the security of your home! And everything seems fine, but you find out that these devices have a microchip inside that could be allowing someone to access them (and therefore, your most private information) without you even realizing it… It sounds like a spy movie, but that’s what’s happened with some gadgets that use Wi-Fi and Bluetooth to connect. We’ll tell you everything you need to know to protect your safety and that of your family.
I don’t understand, what happened?
We’re talking about a chip called ESP32. It’s one of the most used in Bluetooth devices, and it was manufactured in China by Espressif in 2023. It turns out that this chip has a hidden backdoor that could be exploited to carry out attacks. The main problem is that this chip is in billions of devices around the world, from household appliances to cars. And now, we know it could be exploited to do things you definitely wouldn’t want your devices to do.
What is the ESP32 and why should you care?
The ESP32 is a low-cost chip that allows devices to connect to each other and to the internet. It’s found in products like security cameras, sensors, voice assistants, and even smart coffee makers. So, if you have a Bluetooth-enabled device at home, there’s a good chance it has this chip.
Spanish researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco, from Tarlogic Security, alerted on the The RootedCON cybersecurity conference in Madrid about this chip because they discovered that the ESP32 contains 29 hidden commands, which could allow an attacker to do whatever they want without anyone noticing!
What happened to ESP32 security?
Basically, experts highlighted the existence of this hidden way of controlling advanced functions via Wi-Fi that shouldn’t be allowed, allowing anyone with a little bit of skill to access controls or information they shouldn’t have.
What could attackers do?
Easy peasy. If you think this isn’t your problem, be prepared. Mainly because, through Wi-Fi, they could access all the devices in your home and spy on the information stored on them, or, for example, impersonate your Bluetooth device to access other systems. Although this vulnerability hasn’t been reported to have been exploited on a large scale, the risk remains, and anyone could exploit it.
How did Tarlogic discover this?
This company developed a new, cross-platform, hardware-independent USB-to-C Bluetooth driver that allowed them to analyse Bluetooth traffic more deeply. Using this tool, they discovered hidden commands in the ESP32 firmware, specifically in the 0x3F opcode, that allow low-level control over the chip’s Bluetooth functions. A total of 29 commands were found that could be used for malicious activities.
Is there anything I can do to protect myself?
For now, the chip manufacturer hasn’t provided any answers regarding what happened, but while we wait for a solution, you can keep your devices’ firmware updated (as the update is expected to close the remaining loophole). Disable Bluetooth if you’re not using it, as the fewer active connections you have, the fewer opportunities for attackers.
If you have a modern router, enable advanced security options to quickly detect any suspicious access.
For now, the best thing we can do is stay informed, update our devices, and take precautions; we have no other option. Because even if we don’t see it, danger could be lurking in every corner of our home… waiting for us.