A hot potato: The ESP32 chip, found in over a billion devices worldwide, contains undocumented vendor-specific commands that could potentially be misused to access device memory and manipulate Bluetooth functionality. Security experts emphasize that these commands are not directly accessible remotely without additional vulnerabilities and typically require physical access or already compromised firmware to exploit. An undocumented set of low-level commands has been discovered in the ESP32 microchip, a widely used component in IoT devices. Manufactured by the Chinese company Espressif, the ESP32 is a crucial component for Wi-Fi and Bluetooth connectivity in numerous smart devices, including mobile phones, computers, smart locks, and medical equipment.As of 2023, it is present in over a billion units worldwide. This discovery was made by Spanish researchers Miguel Tarasc Acua and Antonio Vzquez Blanco of Tarlogic Security.The researchers presented their findings at RootedCON in Madrid, revealing undocumented proprietary HCI commands in the ESP32's Bluetooth firmware. This set of 29 hidden vendor-specific commands, including Opcode 0x3F, enables low-level control over Bluetooth functions.In a later update on their blog, the researchers downplayed the use of the term "backdoor" to describe their findings, clarifying that these proprietary HCI commands could be considered "hidden features" that allow operations such as reading and modifying memory in the ESP32 controller. However, the use of these commands could still facilitate supply chain attacks or the concealment of backdoors in the chipset.The existence of these undocumented commands raises concerns about potential malicious implementations at the OEM level and the risk of supply chain attacks. While Espressif has not publicly documented these commands, their presence most likely suggests an oversight than an intentional inclusion.These commands can be leveraged to manipulate memory by reading and writing to RAM and Flash, spoof MAC addresses to impersonate devices, and inject LMP/LLCP packets. While these functionalities are not inherently malicious, they could be misused by attackers who have already gained access to a device, allowing for impersonation attacks, bypassing security audits, or permanently modifying device behavior. // Related StoriesThe risks associated with these commands primarily depend on the attack vector. In most cases, remote exploitation would require additional vulnerabilities, such as pre-installed malware or firmware manipulation. The more practical attack scenario would likely involve physical access to the device's USB or UART interface.To analyze and expose these hidden commands, Tarlogic developed a new C-based USB Bluetooth driver, BluetoothUSB, which provides hardware-independent and cross-platform access to Bluetooth traffic. This tool enables comprehensive security audits of Bluetooth devices without relying on OS-specific APIs, addressing a significant gap in current security testing tools.Traditional security auditing tools often require specialized hardware and are limited by their dependence on specific operating systems, making comprehensive audits more challenging.The potential impact of these undocumented commands is particularly relevant given the ESP32's widespread use in low-cost IoT devices, which can be purchased for as little as $2. While these commands were probably meant for debugging, their presence is a reminder of why strong firmware security is crucial in the IoT world.