Source Link Privacy.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.
Update: The ESP32 “backdoor” that wasn’t.
Well… Shit.
There are so, so, so, many ESP32’s in not just my house, but practically everyone I know.
There outta be fines for this BS.
You’re fine. This isn’t something that can be exploited over wifi. You literally need physical access to the device to exploit it as it’s commands over USB that allow flashing the chip.
This is a security firm making everything sound scary because they want you to buy their testing device.
You literally need physical access to the device to exploit it
You don’t need physical access. Read the article. The researcher used physical USB to discover that the Bluetooth firmware has backdoors. It doesn’t require physical access to exploit.
It’s Bluetooth that’s vulnerable.
Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections.
I really wish these articles just tell us what these scenarios are. I understand companies need publicity or need to sell software but if it isn’t replicatable and the article says “might be possible” it kind of sounds like a secuity sales pitch.
This is especially the case if an attacker already has root access, planted malware, or pushed a malicious update on the device that opens up low-level access.
This part basically sounds more like a software issue where the attacker has a way in already. The system is already vulernable at this point before using the exploit found.
I don’t think there’s enough information out yet.
It is very interesting though.
I just re-read the article and yes, you still need physical access.
The exploit is one that bypasses OS protections to writing to the firmware. In otherwords, you need to get the device to run a malicious piece of code or exploit a vulnerability in already running code that also interacts with the bluetooth stack.
The exploit, explicitly, is not one that can be carried out with a drive-by Bluetooth connection. You also need faulty software running on the device.
“Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections.”
I of course don’t know details but I’m basing my post on that sentence. “Backdoor may be possible via … rogue Bluetooth connections.”
I do have a few outside. Probably not the best security-wise. Haha. Those are the first to get patched when one comes out.
Security wise, unless you are being specifically targeted by someone, you are almost certainly fine. And if you are being specifically targeted, I think someone hacking your ESPs is the least of your worries. A malicious attacker that knows your physical location can do a lot more scary things than just spying through ESPs.
Just wait until a jester creates a software that sends an erase flash backdoor command to any BT device it sees.
In that case, how long til some open source project uses it to make a custom firmware to bypass the manufacturer bs and integrate my cheap IoTs seamlessly into Home assistant?
You can already reflash a lot of devices for this purpose. And you could use esp-home to customise once reflashed
Really? Where can I find this
Heres the top google link i found: https://randomnerdtutorials.com/how-to-flash-a-custom-firmware-to-sonoff/
Esp-home is available as a HA addin, docs here: https://esphome.io/
Esp-home also works with the older esp-01 - it was released as a wifi module so there are only two gpio’s, but thats enough for a lot of home automation stuff.
Here’s one i have connected to HA, where HA uses rest-api to capture some data from a game called tacticus, and it shows my available tokens for guild raid and arena
Thanks
Tasmota is another option if they have your specific device in their list. Otherwise you have to do some debugging to figure out what gpio or i2c address to use.
I think we are basically already there with ESPs :D.
Wrong. Read the analysis. It is a BT vulnerability. One can probably design a cheap attack system that just sends a erase flash command to any BT device in reach, instantly bricking every BT enabled ESP32 device.
Just reread it and no, it’s not a BT vulnerability. The “erase flash” command is something that has to be done by software running outside the BT stack. You can even see that inside the slides. The
UsbBluetoothsoftware is connected to the device with the flawed bluetooth chipset.The vulnerability is that if you have this chipset and compromised software, someone can flash the chipset with compromised flash. They even say that it’s not an easy attack to pull off in the article.
In general, though, physical access to the device’s USB or UART interface would be far riskier and a more realistic attack scenario.
In otherwords, the attack is something that can only be pulled off if there’s also a security vulnerability within other parts of the hardware stack.
Yeah, that’s not the main concern.
Too much fanfare and too little real info shared to be of any value. Sounds more like an ad than infosec
I’d like to know if this is just a firmware update or unfixable, but sadly this seems just an ad rather than news
Here’s an article with a bit more detail… but I’m still unclear whether these backdoor commands are hardware circuits or firmware logic.
Bleeping Computer: Undocumented “backdoor” found in Bluetooth chip used by a billion devices
Solid article. I imagine the folks at the cyberwire podcast will be doing more digging over the weekend for a solid summary come Monday.
deleted by creator
Even if it were fixable, it would be up to manufacturers to push updates. I doubt any really care enough.
It is not easy to determine how fixable this is. IIRC, the ESP32 has the wireless stack hidden from user space, and I am not sure if it is a blob included during link time, or if it is stored in a ROM of the chip. I do have the chips and the development enviroment in my studio, but (luckily) I decided to use a different chip for my project.
But I know there is a load of systems using either the ESP32 as their main processor, or as an auxiliary processor to add WiFi or BT capabilities, so this really is a big oh shit moment.
Not the first time a backdoor was found on Chinese made hardware and it won‘t be the last time. Decoupling can‘t happen quickly enough.
Which government’s backdoors would you prefer?
“We know you have a choice in oppressive governments, so we appreciate you choosing ours.”
None of them, that’s why the only things in my house that connect to the internet are my computers, game consoles, and cell phone
Assuming you’re not joking here, if your computers are any way modern they almost certainly have a backdoor.
Obviously, but I trust my Linux mint laptop a hell of a lot better than my aunt’s XIPPLG branded wifi cat feeder that she bought off Amazon
True, but the ESP32 is used by a lot of devices. This backdoor is pretty huge in scope of devices impacted.
It depends on what the method of attack is. I’m not seeing anything saying that it would be possible to exploit wirelessly, so this could easily be mostly a non-issue.
I mean, most users here are browsing using a device with an AMD or Intel CPU, both with known backdoors. Not the first time a backdoor was found on American made hardware and it won’t be the last.
One more reason to have actual open-source drivers instead of binary blobs…
The Chinese adding back doors into their software/hardware.
Say it ain’t so!
Say it ain’t so
Your bug is a heartbleeder
Say it ain’t so
My NIC is a bytetaker
Is this some hardware flaw, or just something in their standard BT stack?
Removed by mod
Yeah one of my more… tech adventurous friends had the most insane series of security breaches (to out it mildly) potentially related to this and some other recent ridiculousness.
The blob strikes again
Hey look china got caught putting backdoors in hardware AGAIN
I have a bunch of ESP32’s that … I can update and replace the firmware on, if i reset it the right way with a usb cable. the web site doesn’t explain it any way how this is any worse than that…?
So, what is the probability of it affecting a lot of people?
The ESP32 chip, developed by Espressif Systems, is widely used in various IoT (Internet of Things), embedded systems, and consumer electronics due to its low power consumption, built-in Wi-Fi & Bluetooth, and high processing capability.
Devices That Use the ESP32 Chip
- Development Boards & Microcontrollers
ESP32 DevKit series (official Espressif boards)
M5Stack and M5Stick series
Adafruit HUZZAH32
SparkFun ESP32 Thing
LilyGO T-Series (T-Display, T-SIM, T-Watch, etc.)
WEMOS Lolin D32/D32 Pro
- Smart Home & IoT Devices
Sonoff Smart Switches and Plugs (e.g., Sonoff Mini R3, Sonoff S31)
Shelly Smart Relays (e.g., Shelly 1, Shelly 2.5)
Tuya-Based Smart Devices (many smart home products use Tuya firmware on ESP32)
Air quality monitors (e.g., AirGradient open-source air sensors)
IoT Sensor Hubs (various DIY and commercial solutions)
- Wearables & Portable Devices
TTGO T-Watch (ESP32-based smartwatch)
Heltec WiFi Kit Series (LoRa-enabled IoT devices)
Fitness trackers (some DIY and prototype models)
- Robotics & DIY Electronics
ESP32-CAM (ESP32-based camera module)
DIY drones & robots (used in hobbyist and educational robotics)
3D Printer controllers (e.g., ESP32-based Klipper controllers)
- Industrial & Commercial Products
ESP32-based vending machines (wireless payment systems)
Smart irrigation controllers
Energy monitoring devices (e.g., OpenEnergyMonitor)
Smart locks & security systems
- Audio & Multimedia Devices
ESP32-based web radios
DIY Bluetooth speakers
Smart light controllers with voice assistants
Why Is ESP32 Popular?
✔ Low-cost & powerful (dual-core, Wi-Fi, Bluetooth) ✔ Great for DIY & commercial IoT applications ✔ Strong developer community & open-source support ✔ Compatible with Arduino, MicroPython, ESP-IDF, etc.
