If I’ve said it once…

Posted on by March 11, 2025

I’ve said it a hundred times…

Tarlogic Security has detected a hidden functionality that can be used as a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this hidden functionality would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.

<snip>

In the course of the investigation, a hidden feature was discovered in the ESP32 chip, used in millions of IoT devices and which can be purchased on the world’s most famous e-commerce sites for €2. It is this low cost that explains why it is present in the vast majority of Bluetooth IoT devices for domestic use. In 2023, the manufacturer Espressif reported in a statement that one billion units of this chip had been sold worldwide to date.

Tarlogic has detected that ESP32 chips, which allow connectivity via WiFi or Bluetooth, have hidden commands not documented by the manufacturer. These commands would allow modifying the chips arbitrarily to unlock additional functionalities, infecting these chips with malicious code, and even carrying out attacks of identity theft of devices.

Full article, HERE, from Tarlogic h/t Stretch for the link

If you’re ‘connected’ to the Internet of Things (IoT) in ANY way, you no longer have any privacy, and probably not much security, unless you’re a security expert and are running multi-levels of security and never connect your phone (knowingly) to your computer.

So, now that you ‘know’, what do you do?

Hope, pray, delete everything? I can’t tell you what to do, that is up to you, but I will say you should ‘always’ be careful about what you post, what you have on your phone, or saved on your computer. You never know when ‘sumdood’ is going to hack you, one way or the other and steal everything. I do routine backups, one of which is always kept offsite, and the other is unplugged unless I’m actively using it.

Be careful out there folks, it’s NOT a ‘friendly’ place on the Intarwebz…

Comments

If I’ve said it once… — 11 Comments

  1. I have a nice kyocera mil spec flip phone , and an old laptop with nothing on it worth stealing and use a VPN most all the time (why ? I don’t know just cuz) . Use faraday bags for both , mostly when traveling . The phone has settings to turn digital data off , which is how it normally is set . Neat phone , tough ,durable, waterproof and can be used as a hotspot , which I rarely do. My wife on the other hand is a walking security risk , but luckily doesn’t have any personal data worth stealing on her phone or tablet . She thinks I am overly cautious (paranoid) , and jumps on every public wifi that avails itself . I admit to not being into tech , or smart about tech , but I do believe the less tech a person uses the lower the risks . I do want to go to my daughter’s house and tell her Alexa to play the Beatles “Helter Skelter” at 0300 just to freak her out , I wonder if I could do that ? My daughter is in the age group who is glued to her phone and her husband is fearless in buying and using tech in all forms . I drive by her house when I am in town and flip off her door cam ,one time I stopped and mooned it, she says “stop it” but it makes me laugh .

    • Damned near fell out of the chair at the antics of you and your daughter’s door cam. 🙂

  2. In this case this is just Tarlogic trying to get back in the public eye.
    There is no backdoor. The commands that Tarlogic is claiming to be bad is normal in all microcontrollers. Also Tarlogic has changed their headline.

    To better understand is the following blog.
    https://darkmentor.com/blog/esp32_non-backdoor/

    WB

    • Also to use these commands you have to have access to the device.
      WB

      • You need to actually lay your hands on the device and open it up. You can’t access this remotely.

        Yes there are devices with backdoors which you need to be on guard for, but this is not one of them. This is Tarlogic using scare tactics to get people to notice them.

        WB

  3. These “backdoors” were deliberately put in place by Chinese companies at the behest of the CCP. And this is just another in a long string of asymmetrical warfare attacks by American number one enemy. Beijing.

  4. All-Thanks for the comments.

    Wayne- Interesting…thanks.

    Dan- Agreed. How/why??? I sure as hell don’t know.

  5. I don’t, and will not, have any of my financial data on my cell phone.
    A local gas station chain will give you $.25 a gallon off if you “scan” a code (I have never scanned one of those black blobs). Went in and talked to the manager. Seems their program links directly to my bank account and my purchase is automatically transferred. Nope, not doing it. I remain a Latter Day Luddite.

    • Links directly to your bank account? At that point they can help themselves. “You were hacked?”
      Prove it.
      Now try to get your money back.

      I had read about the QR codes, but it was more in the field of using them to install viruses on your phone. Linking directly to your bank account is a new wrinkle.

      • Ever feel like adding an extra random black block to various QR codes? I have not done that. It is tempting, however.