Command hidden in the free Bluetooth chip can lead to theft of idea, the researchers said.
Although we are used to hearing more online attacks that rely on social engineering, such as the latest Paypal or YouTube Malware fraud warnings, the use of vulnerability remains in the chairs of threat actors. That is why Google paid 11.8 million dollars to the benefit of mistakes in 2024 to find and report them, and regularly issues product safety updates after they are detected. But if the weakness in the hardware felt? Specifically, a free microchip used in more than a billion devices, including smartphones, speakers, intelligent locks and even medical equipment, to enable WiFi and Bluetooth connections. What if the weakness was in the form of a hidden function, one that could be used by the actors of threat, according to security researchers? Here’s what you need to know.
Chip controller Bluetooth in the heart of the new security warning
One of the world’s most popular microcytes used in devices as different as intelligent phones and medical equipment, ESP32, is found in more than a billion internet things, ERM, things, according to its Chinese manufacturer Espressif. Providing link for Bluetooth and Wi-Fi, one of the reasons ESP32 is so popular is because it is so cheap, costing as little as $ 2 in most e-commerce market. However, as part of the continuous safety research at the Bluetooth standard, there has been a worrying weakness: the presence of unoccupied commands that can be used, under certain circumstances, by the threat actors.
Researchers at Tarlogic Security Audit Specialists have discovered hidden commands, allowing operations such as reading and modifying memory in a Bluetooth chip controller, which they said can “facilitate supply chain attacks, concealing the backgrounds, or execution of more sophisticated attacks.” The researchers also noted that the presence of these commands of the host receiver controller has been more appropriate as a hidden feature than a background, itself.
Utilizing commands, however, refer to them, will researchers say, “allow hostile actors to perform impersonation attacks and permanently infect sensitive devices such as cell phones, computers, intelligent locks or medical equipment bypassing code audit controls.”
Hidden Chip Bluetooth commands can allow device impersonation attacks
According to the research conducted by the Tarlogic Innovation Department, and presented at the world’s largest Conference in the Spanish Internet, Rootedcon, ESP32 hidden commands may allow “modification of arbitrarily fry to unlock additional functionalities, infecting these chips with malicious code and anticipation attacks. equipment. ” This, researchers said, means that threat actors can falsify popular devices in order to connect to mobile phones, smart computers and equipment, even if they are offline fashionable. The end result of this? “To get confidential information stored on them, have access to personal and business conversations and to spy on citizens and companies,” According to Tarlogic.
I have reached Espressif for a statement. Meanwhile, Tarlogic said he has developed a solution called Bluetoothusb, “a driver that allows safety tests and attacks to achieve complete security audits in all types of equipment, regardless of operating system or programming language.”