Bluetooth Backdoor Hidden Vulnerability!

[dkbit98]

Few days I saw this news released in many tech security websites, and it just confirms what I suspected a long time ago.

Specific Bluetooth ESP32 microchips mentioned in this articles are made by Chinese manufacturer Espressif, but something similar could apply to other manufacturers.
1 billion devices could be affected with this vulnerability and attacks can permanently infect devices like mobile phones, computers, smart locks, Internet of Things, or bitcoin signing devices.

This is just one of the reasons I generally don't like using devices with bluetooth, especially for bitcoin signing devices and hardware wallets.

In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

- The ESP32 microchip contains an undocumented backdoor with hidden vendor-specific commands.
- These commands allow low-level control over Bluetooth functions, enabling memory manipulation, MAC address spoofing, and packet injection.
- 29 undocumented commands were discovered by Spanish researchers, collectively forming a "backdoor" that enables potential exploitation for unauthorized access or manipulation.
- The risks associated with these commands are significant, particularly in the context of IoT devices, where an attacker could spoof trusted devices, access unauthorized data, pivot to other devices, or establish long-term persistence.

https://www.ethicalhackingnews.com/articles/The-Hidden-Vulnerability-Undocumented-Backdoor-Found-in-Ubiquitous-Bluetooth-Chip-Used-by-a-Billion-Devices-ehn.shtml

A €2 chip can open the door to identity theft to connect to thousands of IoT devices

https://www.tarlogic.com/news/hidden-feature-esp32-chip-infect-ot-devices/

Hardware wallets with Bluetooth connection:

- Ledger Nano X, Ledger Flex, Ledger Stax
- Jade, Jade plus
- Passport Prime
- OneKey classic, Onekey Pro
- D'cent
- SecuX ^all
- Safepal
- Coolwallet
- Era wallet


I am trying to research and identify what Bitcoin hardware wallets and signing devices are using ESP32 Espressif Bluetooth microchip,
and I would appreciate if someone could help me with this investigation.

[ABCbits]

I am trying to research and identify what Bitcoin hardware wallets and signing devices are using ESP32 Espressif Bluetooth microchip,
and I would appreciate if someone could help me with this investigation.

Jade Classic[1] mention "Espressif ESP32" on connector section[1], while Jade DIY guide[2] mention 2 device (M5Stack Basic Core and M5Stack FIRE) that use "Espressif ESP32 chipset". I assume it means they also use "SP32 Espressif Bluetooth microchip". But the DIY guide also have section to completely disable bluetooth.

[1] https://store.blockstream.com/products/blockstream-jade-hardware-wallet
[2] https://github.com/Blockstream/Jade/tree/master/diy

[dkbit98]

Jade Classic[1] mention "Espressif ESP32" on connector section[1], while Jade DIY guide[2] mention 2 device (M5Stack Basic Core and M5Stack FIRE) that use "Espressif ESP32 chipset". I assume it means they also use "SP32 Espressif Bluetooth microchip". But the DIY guide also have section to completely disable bluetooth.

Thanks ABCbits!
I knew about M5Stack and I have one of their devices, but luckily bluetooth is disabled and not used with Krux DIY wallet.
As for Jade I have to say that I am bit concerned since this devices are using bluetooth connection with smartphones.
I am wondering what is ledger using for bluetooth... while Donjon team is busy examining other hardware wallets

[mcdouglasx]

I am wondering what is ledger using for bluetooth...

Ledger uses ST33K1M5 and STM32WB55.

[dkbit98]

Ledger uses ST33K1M5 and STM32WB55.

I know what microchips and secure elements ledger wallets are using and I wrote that in one of my topics Secure Element in Hardware Wallets.
What I don't know is how Bluetooth is integrated or connected with microchips, and if they also have backdoor access.
And it is not only ESP32 microchip from Espressif that have issues.

[satscraper]

Few days I saw this news released in many tech security websites, and it just confirms what I suspected a long time ago.

Specific Bluetooth ESP32 microchips mentioned in this articles are made by Chinese manufacturer Espressif, but something similar could apply to other manufacturers.
1 billion devices could be affected with this vulnerability and attacks can permanently infect devices like mobile phones, computers, smart locks, Internet of Things, or bitcoin signing devices.

This is just one of the reasons I generally don't like using devices with bluetooth, especially for bitcoin signing devices and hardware wallets.

In total, they found 29 undocumented commands, collectively characterized as a "backdoor," that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.

https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/

Media hype in fact.

There is no flaw in design of ESP32 chip manufactured by Espressif.

The hidden commands found are actually internal HCI debug commands that can only be used via USB or UART, but not remotely via Bluetooth or WiFi.

They were left in firmware inadvertently. Espressif Systems has promised to remove these debug commands when updating the firmware for the relevant chip.

[satscraper]

I am wondering what is ledger using for bluetooth..

The Ledger Nano X has on its board STM32WB55 microcontroller which includes native support for BLE communication.

They stated that "secret keys or seed are never exposed to the BLE stack' but the latter "may transport your public keys or addresses ".

They also issued the warning to users of the older Android devices on the potential risk of MiTM attack over Bluetooth channel.