The ESP32 chip is used in tons of devices. The scope of this is really broad.
HeartBleed level.
No way they’re on the same level. Heartbleed allowed for remote memory reads. This requires you to have access to change the firmware and just gives you some more APIs to control the WiFi system and possibly bypass firmware verification.
No way they’re on the same level. Heartbleed allowed for remote memory reads.
I professionally studied HeartBleed as a security researcher and wrote a peer reviewed opinion piece which was published. I won’t say where or the title because it would give you my full name, so deal with it. Not trying to humble-brag, just trying to say, I’ve done the research myself here.
HeartBleed was an oversight which sent out enabled by default (!) a TLS heartbeat read overrun error in OpenSSL v1.0.1 to 1.0.2-beta which allowed any third party with an internet connection the ability to request information, 64kb at a time, stored in an affected servers memory. Anything. Private keys, encryption keys, TLS private keys (imagine SSL verified MITM attacks), decrypted sensitive files (which are HDD encrypted and decrypted in memory), passwords, anything.
All’s you had to do was know how to request the information, and the server you wanted to attack. It went undiscovered for a number of months before it was found. The extension was enabled by default, and came bundled with software used on literally billions of private computing devices, servers, IoT devices, and even interstitial devices used over network connection.
Here’s an excerpt from some other security researchers on the subject, in case you don’t want to take my word for it;
We have tested some of our own services from attacker’s perspective. We attacked ourselves from outside, without leaving a trace. Without using any privileged information or credentials we were able steal from ourselves the secret keys used for our X.509 certificates, user names and passwords, instant messages, emails and business critical documents and communication. 1
You’re correct that they’re not on the same level, but completely backwards in thinking that an undocumented bluetooth backdoor is worse than the worst vulnerability found since the invention of the internet. HeartBleed affected hundreds of millions of critical servers. Literally billions of devices in total. How many consumer devices do you think have this exact bluetooth chip? 10,000? 100,000? 10 million? Still small peanuts in comparison.
Armed with this new tool, which enables raw access to Bluetooth traffic, Targolic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake.
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
From the article …
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023
From the person I’m replying to …
I’d kind of like to know whether these can be used against an unpaired device or not. That’d seem to have a pretty dramatic impact on the scope of the vulnerability.
Don’t see how that would matter much. The “scope of the vulnerability” is sufficiently large enough that it should not be partially or otherwise discredited as a risk.
If someone owns a Bluetooth device, then its fair to think that at some point they’d actually use it, being vulnerable to the backdoor access. That’s billions of uses right there, on a regular basis.
From the article …
The researchers warned that ESP32 is one of the world’s most widely used chips for Wi-Fi + Bluetooth connectivity in IoT (Internet of Things) devices, so the risk of any backdoor in them is significant.
At rough count I have 16 of those buggers. Appliances, switches, load meters, lights, etc. If I look harder, I’d probably find more. Yikes!
Someone correct me if i’m wrong, but it looks like it’s not the big deal the original blog post makes it out to be.
To issue those undocumented HCI commands one either needs to hijack a computer/soc/mcu that is connected to an esp32 with HCI UART transport enabled or put malicious software on the esp itself.
The mac spoofing might be interesting for people building hacking tool, however.
Yeah, this is hyped for clicks. This requires the target device to already be paired and requires privileged access on the local system to install the custom driver. NVD rates the exploitability of CVE-2025-27840 as 0.3 out of 10.
While I have a few ESP32 in my collection, I am now happy that I chose a different platform for my project.
I wonder what people will say in Nürnberg next week at Embedded World.
Computers are what we’d get if Epimetheus stole something from the gods for us instead
