On March 10, according to EEnews Europe, researchers in Spain discovered hidden instructions in a low-cost microcontroller from Espressif, making it vulnerable to attacks. This microcontroller has been widely used in the Internet of Things (IoT).
The team from Tarlogic Innovation in Madrid demonstrated a study showing that the Espressif ESP32 integrated Bluetooth microcontroller (MCU) contains undocumented instructions, which are present in millions of smart devices. This controller uses Cadence Design Systems’ configurable Tensilica LX7 core or a RISC-V core with an internally designed extended instruction set architecture.
However, just a day earlier, Espressif announced that its ESP32-C6 microcontroller had obtained PSA Level 2 (PSA-L2) security certification. This makes the ESP32-C6 the first RISC-V based product to achieve this level of security certification, which can avoid the issue of hidden instructions.
Espressif stated that this highlights its commitment to providing robust, secure, and reliable IoT solutions, but has not yet commented on Tarlogic’s research.
Obtaining PSA Level 2 certification means that the ESP32-C6’s PSA Root of Trust (PSA-RoT) has undergone laboratory evaluation, demonstrating its ability to withstand scalable software attacks and potentially prevent unauthorized software from using hidden instructions.
Teo Swee Ann, founder and CEO of Espressif, stated: “The PSA-L2 certification of the ESP32-C6 underscores our unwavering commitment to providing affordable security protections, making it easier for developers and businesses to access advanced protection. As global regulations continue to evolve, our platform is designed to help customers meet these requirements while delivering secure, reliable, and future-proof products.”
The Tarlogic team initially indicated that these instructions could serve as backdoors for existing devices equipped with ESP32, allowing malicious actors to conduct impersonation attacks by exploiting this hidden functionality. This could be used to bypass code review controls and permanently infect sensitive devices such as smartphones, computers, smart locks, or medical devices.
“We want to clarify that referring to the existence of proprietary HCI instructions (which allow reading and modifying memory in the ESP32 controller) as ‘hidden functionality’ rather than ‘backdoors’ is more appropriate,” the Tarlogic team stated in an update earlier today. “Using these commands could facilitate supply chain attacks, hide backdoors in chipsets, or execute more complex attacks. We will release more technical details on this matter in the coming weeks.“
The Tarlogic team presented this research at RootedCON, the largest Spanish-speaking cybersecurity conference. It utilized Bluetooth USB, a free tool developed by Tarlogic, which can conduct Bluetooth security audit tests regardless of the operating system of the device.
Researchers reviewed multiple Bluetooth devices using their method, which systematizes the performance of Bluetooth security audits. This uncovered hidden instructions that allow modification of the chip to unlock additional features, inject malicious code, or execute device identity theft attacks.
This could allow malicious actors to impersonate known devices connecting to smartphones, computers, and smart devices, even when they are in offline mode.
PSA Level 2 certification verifies resistance to software attacks and protection of critical assets through Physical Memory Protection (PMP) and Access Management (APM). The PMP and APM implementations in the ESP32-C6 are based on hardware access control, ensuring secure memory isolation and permission separation.
Digital signature peripherals achieve secure cryptographic operations by generating digital signatures in hardware, ensuring that private keys are protected and never exposed to software, thus preventing unauthorized firmware modifications and tampering.
Secure boot ensures that only authenticated firmware can be executed, preventing unauthorized code modifications, while flash encryption protects stored data from unauthorized access by encrypting the contents of external flash memory.
As a PSA Level 2 certified device, the ESP32-C6 adheres to the security model defined by PSA certification. At the core of this security model is ESP-TEE, which is based on immutable hardware and serves as the platform’s root of trust.
ESP-TEE provides hardware enforced isolation, ensuring that trusted applications run in a protected environment, shielded from potential threats in non-secure domains. This enhances the security of critical operations such as cryptographic key management, secure boot verification, and firmware updates.
Editor: Chip Intelligence – Lin Zi
Previous Exciting Articles The US will hold a hearing next week, which may impose tariffs on mature process chips from China! Two former BIS directors discuss: The current state and future direction of the US-China ‘chip war’ Sandisk issues a price increase notice: All products will increase by over 10% starting April 1! Apple iPhone 16e teardown: Details of self-developed 5G baseband chip exposed Trump plans to abolish the ‘Chip Act’, TSMC’s advanced process will increase prices by at least 15% What is the charm of RISC-V chips, and why should nationwide use be encouraged? TSMC’s investment in the US increases to $165 billion: will build three more fabs and two advanced packaging plants! IBM’s R&D department in China officially ceases operations, involving 1,800 people It is reported that the US will comprehensively ban the sale of AI chips to China! Xuantie C930 flagship processor to be delivered in March: performance reaches server level, equipped with Matrix AI engine Full version of DeepSeek deployed on a single machine, who has the most cost-effective all-in-one solution? Domestic GPU wins a historic first with a 1.488 billion yuan AI training push all-in-one order! Samsung will use Yangtze Memory’s patented technology!
For industry communication and cooperation, please add WeChat: icsmart01Chip Intelligence official group: 221807116