Billions of devices worldwide rely on a widely used Bluetooth-Wi-Fi chip that contains undocumented “hidden commands.” Researchers warn these commands could be exploited to manipulate memory, impersonate devices, and bypass security controls.
ESP32, manufactured by a Chinese company called Espressif, is a microcontroller that enables Bluetooth and Wi-Fi connections in numerous smart devices, including smartphones, laptops, smart locks, and medical equipment. Its popularity is partly due to its low cost, with units available for just a few dollars.
Hidden Bluetooth commands and potential exploits
Researchers at security firm Tarlogic discovered 29 undocumented Host Controller Interface commands within the ESP32’s Bluetooth firmware. These commands enable low-level control over some Bluetooth functions, such as reading and writing memory, modifying MAC addresses, and injecting malicious packets, according to Bleeping Computer, which attended Tarlogic’s presentation at RootedCON.
SEE: Zscaler Report: Mobile, IoT, and OT Cyber Threats Surged in 2024
While these functions aren’t inherently malicious, bad actors could exploit them to stage impersonation attacks, introduce and hide backdoors, or modify device behavior — all while bypassing code audit controls. Such incidents could lead to a supply chain attack targeting other smart devices.
“Malicious actors could impersonate known devices to connect to mobile phones, computers and smart devices, even if they are in offline mode,” the Tarlogic researchers wrote in a blog post. “For what purpose? To obtain confidential information stored on them, to have access to personal and business conversations, and to spy on citizens and companies.”
What are the barriers to entry for these exploits?
Despite the risks, there are barriers to entry for exploiting these commands, which distinguishes them from typical backdoor vulnerabilities. Attackers would need physical access to the smart device’s USB or UART interface, or they would need to have already compromised the firmware through stolen root access, pre-installed malware, or other vulnerabilities to exploit the commands remotely.
What happens next?
Tarlogic researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco discovered the vulnerable HCI commands using BluetoothUSB, a free hardware-independent, cross-platform tool that enables access to Bluetooth traffic for security audits and testing.
These hidden commands are likely hardware-debugging Opcode instructions that were unintentionally left exposed; TechRepublic has contacted Espressif to confirm but the company has yet to respond as of writing. The company’s response will be crucial in determining whether firmware updates or mitigations will be released to secure affected devices.
