A hidden feature in a cheap, and wildly popular, Bluetooth chip used in at least a billion devices, could lead to identity theft, security researchers have warned.
Google paid hackers $11.8 millionas they are uncovered. But what if the vulnerability was in hardware? Specifically, a cheap microchip used in more than a billion devices, including smartphones, speakers, smart locks, and even medical devices, to enable WiFi and Bluetooth connections.
What if the vulnerability was in the form of a hidden function, one that could be exploited by threat actors, according to security researchers? Here’s what you need to know.One of the world’s most popular microchips used in devices as diverse as smartphones and medical devices, the ESP32, is found in more than a billion Internet of Things, erm, things, according to its Chinese manufacturer Espressif. Providing connectivity for both Bluetooth and Wi-Fi, one of the reasons the ESP32 is so popular is because it’s so cheap, costing as little as $2 on most e-commerce marketplaces. However, as part of ongoing security research into the Bluetooth standard, a worrying vulnerability has emerged: the presence of undocumented commands that could, under certain circumstances, be exploited by threat actors. Researchers at security vulnerability auditing specialists Tarlogic have uncovered the hidden commands, allowing operations such as the reading and modification of memory in a Bluetooth chip controller, which they said could “facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks.” The researchers also noted that the presence of these proprietary host controller interface commands is more appropriately referred to as a hidden feature than a backdoor, per se., “allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.”Russia Is Bombing Bridges To Cut Off 10,000 Ukrainian Troops In Kursk According to the research carried out by the innovation department at Tarlogic, and presented at he world’s largest Spanish-language cybersecurity conference, RootedCON, the hidden ESP32 commands could allow for “modifying the chips arbitrarily to unlock additional functionalities, infecting these chips with malicious code, and even carrying out attacks of identity theft of devices.” This, the researchers said, means that threat actors could potentially impersonate known devices so as to connect to mobile phones, computers and smart devices, even if they are in offline mode. The end result of this? “To obtain confidential information stored on them, to have access to personal and business conversations, and to spy on citizens and companies,” according to Tarlogic. I have reached out to Espressif for a statement. Meanwhile, Tarlogic said it has developed a solution called BluetoothUSB, “a driver that allows security tests and attacks to be implemented to achieve complete security audits on all kinds of devices regardless of the operating system or programming language.”
Bluetooth Chip ESP32 Espressif Bluetooth Security Bluetooth Hack Tarlogic Iot Internet Of Things China
United States Latest News, United States Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
The Dangers of Identity Theft: Protecting Your Financial AssetsThis article explores the various tactics used by fraudsters to steal personal and financial information, the devastating consequences of identity theft, and practical steps individuals can take to safeguard their assets.
Read more »
Freezing Your Credit: A Proactive Step Against Identity TheftThis article explores the benefits and drawbacks of freezing your credit as a preventative measure against identity theft. It explains how credit freezing works, its advantages, and potential inconveniences. The article also clarifies common misconceptions and encourages readers to consider this security option.
Read more »
ChromeOS 133 Update Sneak Peek: Bounce Keys, Super Resolution for Bluetooth Mics, and MoreThe chromeOS.dev team has provided preview notes for the upcoming ChromeOS 133 update. This update promises several new features, including Bounce Keys for improved accessibility, Bluetooth Super Resolution for enhanced microphone audio quality, and expanded language support for the Screencast feature. Users can also look forward to an updated Welcome Tour for a smoother onboarding experience.
Read more »
Texas Man Becomes Victim of Identity Theft After Stranger Accesses PhoneA North Texan reports his identity being stolen after a stranger gained access to his phone while it was in his possession. The thief used his information to obtain a driver's license with a different photo and attempted to open new lines of credit.
Read more »
Arizona Homeowners Fall Victim to Bold Identity Theft SchemeA Phoenix couple's home was stolen through a sophisticated identity theft scheme. Squatters assumed the homeowners' identities, forged documents, and sold the property to unsuspecting investors.
Read more »
An unexpected tax form in your mailbox could signal identity theftPeople are reporting they've received a surprise tax form falsely claiming they've made money on a payment app they never used.
Read more »