Bluetooth Vulnerability Discovered Affecting Millions of Devices

David Schwartz, chief technology officer at Ripple, has commented on a recently discovered Bluetooth vulnerability affecting nearly a billion devices.

> “Not good,” Schwartz said in a social media post, highlighting concerns regarding security.

Earlier this week, Tarlogic, a Spanish cybersecurity firm, revealed a backdoor in the widely used ESP32 microcontroller. This low-cost chip, priced around $2, is found in most Bluetooth IoT devices including smartwatches, smart locks, LED controllers, fitness trackers, and security cameras.

Tarlogic’s findings indicate that the chip can be infected with malicious code due to the presence of hidden commands. They identified a total of 29 undocumented commands that could function as a backdoor, potentially allowing bad actors to access devices using the ESP32 chip, even when offline. Motivations for such attacks range from data theft to surveillance.

Some experts have questioned the characterization of undocumented commands as a backdoor. Espressif, the Chinese company producing the chip, has yet to comment on the discovery. It appears that resolving this issue may require replacing hardware entirely.

Previously, Schwartz had also raised concerns regarding a Windows vulnerability that could enable attackers to execute arbitrary code within Wi-Fi range.