While the headlines often cover social engineering attacks such as the recent PayPal scam or malware alerts on YouTube, it is actually the exploitation of vulnerabilities that are the preferred stock-in-trade of threat actors. Indeed, Google’s $11.8 million investment in bug bounties over the course of 2024 is a mere encouragement for the discovery and reporting of such vulnerabilities on top of its routine security update releases for its products.
The problems arise when those vulnerabilities are found in hardware, namely an inexpensive microchip that was integrated into over a billion devices-smartphones, speakers, medical equipment, and the like-for WiFi and Bluetooth connectivity.
Espressif’s ESP32 microchip survives as the world’s favourite chip in every application imaginable: it has surpassed over a billion units in deployment in the Internet of Things ecosystem. This chip affordability, largely at a $2 price range from various online marketplaces, is a major reason it has gained popularity.
Recent security research into the Bluetooth standard revealed a very disturbing vulnerability that its undocumented commands can be executed with certain devious intentions.
Tarlogic, a company specializing in security vulnerability assessments, have discovered these hidden commands that permit reading and changing memory in a Bluetooth chip controller. They said it could lead to supply chain attacks, implanting backdoors in the chipset, or performing even advanced attacks. The researchers defined these proprietary host controller interface commands as hidden features, rather than an example of normal backdoors.
Be that as it may, whatever the term, using these commands means that a malicious entity can impersonate weak devices such as mobile phones, computers, smart locks, or medical equipment, bypassing even serious code audits and putting them in permanent compromise.
Exploiting their usage could allow malicious actors to impersonate victims and endanger their devices, including smartphones, computers, smart locks, and medical devices, the researchers warned.
