Undocumented Commands Found In Bluetooth Chip Manufactured in China Used By a Billion Devices.

Well... Shit.

There are so, so, so, many ESP32's in not just my house, but practically everyone I know.

There outta be fines for this BS.

We really should be pushing for fully open source stack (firmware, os) in all iot devices. They are not very complicated so this should be entirely possible. Probably will need a EU law though.

I hate it when an attacker who already has root access to my device gets sightly more access to the firmware. Definitely spin up a website and a logo, maybe a post in Bloomberg.

Too much fanfare and too little real info shared to be of any value. Sounds more like an ad than infosec

This sounds like there are some undocumented opcodes on the HCI side -- the Host Computer Interface -- not the wireless side. By itself, it's not that big a deal. If someone can prove that there's some sort of custom BLE packet that gives access to those HCI opcodes wirelessly, I'd be REALLY concerned.

But if it's just on the host side, you can only get to it if you've cracked the box and have access to the wiring. If someone has that kind of access, they're likely to be able to flash their own firmware and take over the whole device anyway.

Not sure this disclosure increases the risk any. I wouldn't start panicking.

This isn't a backdoor. Just a company trying to make a name for themselves by sensationalizing a much smaller discovery.

The other day someone posted in Canada community that Canada should stop using Tesla cars and import Chinese cars. I replied saying, “That’s like replacing one evil with another.” I was downvoted by a lot of people. I should’ve expected it cuz a lot of people have short term memory.

This turned racist / xenophobic real quickly.

There have been several other posts about this without mentioning China at all, especially in the post itself.

No where in the article does it say "chinese", literally anywhere.

Check your racism.

Edited to remove where I stated it was manufactured. I did a quick search and found a couple mentions, but did not thoroughly check sourced. Apologies.

I’d like to know if this is just a firmware update or unfixable, but sadly this seems just an ad rather than news

Please update the title of this post to mention the update

Weird that they removed the reference to ESP32, one of the most common and widely known microcontrollers, from the headline.

Gotta blame China to get upvoted on Lemmy.

Not the first time a backdoor was found on Chinese made hardware and it won‘t be the last time. Decoupling can‘t happen quickly enough.

Fukin dmnit! I just spent the last several months fine tuning a PCB design supporting this platform. I have , what i believe to be my last iteration, being sent to fab now. I have to look i to this. My solution isnt using bluetooth, so i dont know if im vulnerable.

The rebuttal wasn't as comforting as some are making it out to be. They seem to be more interested in the semantics of it not being a backdoor tied to a specific product, which appears to be true.

Rather it is a potential for vulnerability that exists in all wireless implementation, which seems to me to be a bigger issue.

One more reason to have actual open-source drivers instead of binary blobs..

Does anyone know where it is that we can find these new commands? I have an esp32 dev kit just a few feet away from me as i read this. It might be interesting to know what these new product "features" are.

I couldn’t find a list of devices. Anyone else find one?

welp, TL;DR from comments says its fear mongering at best, physical access required right?

Is this some hardware flaw, or just something in their standard BT stack?

Jokes on them, I live in America when all that shit was already being done.

I have a bunch of ESP32's that ... I can update and replace the firmware on, if i reset it the right way with a usb cable. the web site doesn't explain it any way how this is any worse than that...?

Babe, wake up its time for your china fear mongering news

Yeah one of my more… tech adventurous friends had the most insane series of security breaches (to out it mildly) potentially related to this and some other recent ridiculousness.

The ESP32 chip, developed by Espressif Systems, is widely used in various IoT (Internet of Things), embedded systems, and consumer electronics due to its low power consumption, built-in Wi-Fi & Bluetooth, and high processing capability.

---

Devices That Use the ESP32 Chip

1. Development Boards & Microcontrollers

ESP32 DevKit series (official Espressif boards)

M5Stack and M5Stick series

Adafruit HUZZAH32

SparkFun ESP32 Thing

LilyGO T-Series (T-Display, T-SIM, T-Watch, etc.)

WEMOS Lolin D32/D32 Pro

2. Smart Home & IoT Devices

Sonoff Smart Switches and Plugs (e.g., Sonoff Mini R3, Sonoff S31)

Shelly Smart Relays (e.g., Shelly 1, Shelly 2.5)

Tuya-Based Smart Devices (many smart home products use Tuya firmware on ESP32)

Air quality monitors (e.g., AirGradient open-source air sensors)

IoT Sensor Hubs (various DIY and commercial solutions)

3. Wearables & Portable Devices

TTGO T-Watch (ESP32-based smartwatch)

Heltec WiFi Kit Series (LoRa-enabled IoT devices)

Fitness trackers (some DIY and prototype models)

4. Robotics & DIY Electronics

ESP32-CAM (ESP32-based camera module)

DIY drones & robots (used in hobbyist and educational robotics)

3D Printer controllers (e.g., ESP32-based Klipper controllers)

5. Industrial & Commercial Products

ESP32-based vending machines (wireless payment systems)

Smart irrigation controllers

Energy monitoring devices (e.g., OpenEnergyMonitor)

Smart locks & security systems

6. Audio & Multimedia Devices

ESP32-based web radios

DIY Bluetooth speakers

Smart light controllers with voice assistants

---

Why Is ESP32 Popular?

✔ Low-cost & powerful (dual-core, Wi-Fi, Bluetooth) ✔ Great for DIY & commercial IoT applications ✔ Strong developer community & open-source support ✔ Compatible with Arduino, MicroPython, ESP-IDF, etc.

So, what is the probability of it affecting a lot of people?

At this point I welcome them to come through.