A defect in the ESP32 chips allows for stealing private keys via Bluetooth or predicting them due to failures in the randomness of key generation.
The reiteration by Blockstream occurred because, according to the team behind that company, the "issue has resurfaced." The vulnerability in question was detected in the ESP32 microcontroller, manufactured by Espressif Systems, used in some hardware wallets to store crypto assets, including Jade. At the chip level, they found a security flaw that could compromise users' funds. According to the company that created Jade, this vulnerability does not affect its wallet because it works with a layered approach to entropy.
On April 16, from the official X account of Blockstream, a company dedicated to developing Bitcoin (BTC) and cryptocurrency infrastructure, it was reaffirmed that a vulnerability discovered last March affecting hardware wallets does not impact the devices created by that company, the Jade wallets.
Brands like Trezor and Ledger, which employ Secure Element (SE) chips, are out of reach of this threat, as they do not contain the ESP32 microcontroller.
On the other hand, other hardware wallets that can be connected to the Electrum wallet could also be at risk. Wallets that use the ESP32 to enable features like Bluetooth or Wi-Fi connectivity, allowing them to be set up and operated from mobile devices, place them at the center of concerns arising from the vulnerability.
Where does this vulnerability reside?
The ESP32 microcontroller is a low-cost and highly versatile component, known for its ability to connect via Bluetooth and Wi-Fi. Its popularity in open-source projects has led to its adoption by some hardware wallets, which are physical devices designed to store private keys offline, protecting them against digital attacks.
However, a report published by researchers from Crypto Deep Tech, titled 'Bitcoin Bluetooth Attacks', revealed a critical vulnerability in the security of the ESP32 that endangers Bitcoin wallets and other crypto assets that use these microcontrollers.
According to that source, the flaw lies in the random number generator (PRNG) of the ESP32, which exhibits insufficient entropy. Entropy, in the context of cryptography, measures the degree of randomness of a system. A random number generator with insufficient entropy generates predictable sequences, making it easier for an attacker to deduce private keys, which are large random numbers used, for example, in Bitcoin's ECDSA algorithm to sign transactions.
As the report explains: "The low entropy of the PRNG in the ESP32 allows attackers to predict the generated private keys, compromising the security of the funds stored in hardware wallets that rely on this chip."
Additionally, the report highlights that the Bluetooth connectivity of the ESP32 amplifies the risk. An attacker could exploit this interface to carry out remote attacks, accessing the device without the need for physical contact. This vulnerability manifests through two main weak points in the ESP32: the random number generator and the Bluetooth interface.
For example, according to Crypto Deep Tech, previous vulnerabilities in the Bluetooth protocol of the ESP32, such as those associated with the set of flaws known as BrakTooth (discovered in 2021), have shown that it is possible to execute arbitrary code or compromise the device's memory.
In the case of a hardware wallet, this could translate into the ability to sign unauthorized transactions, draining the user's funds.
Does the Bluetooth flaw imply thefts only at short distances?
Bluetooth Low Energy (BLE), used by the ESP32, has a standard range of 10 to 100 meters under ideal conditions, depending on factors such as signal strength, physical obstacles (walls, furniture), and the environment (electromagnetic interference).
In real-world scenarios, such as a public place (café, airport), an attacker would need to be within this range to interact with the hardware wallet.
However, attackers can use directional antennas or Bluetooth signal amplifiers to extend the attack range beyond 100 meters. In documented experiments, such as those related to previous Bluetooth vulnerabilities (e.g., BrakTooth), it has been shown that the range can be extended to several hundred meters or even kilometers with advanced hardware, like long-range Bluetooth adapters or drones equipped with transceivers.
This means that an attacker would not necessarily be 'close by' in the everyday sense (for example, a few meters away). They could operate from a parked vehicle, a nearby building, or even a mobile device camouflaged in a public space.
In addition, the defect found in the ESP32 is not limited exclusively to immediate exploitation via Bluetooth. An attacker could use Bluetooth as an initial vector to compromise the hardware wallet and then establish a persistent attack channel.
An attacker within Bluetooth range could upload compromised firmware to the ESP32. This firmware could be programmed to send private keys or recovery seeds to a remote server via Wi-Fi (if enabled) or even when the wallet connects to another device later. In this case, fund theft could occur much later after the initial attack, without requiring continuous proximity.
The response from Espressif Systems
Espressif Systems, the company behind the ESP32, published a statement in March addressing concerns about the security of its microcontroller. The company acknowledges that the ESP32 was not specifically designed for high-security applications, such as those required by cryptocurrency hardware wallets. However, it argues that the chip can be secure if additional measures are implemented by device manufacturers.
In its statement, Espressif explains that "The ESP32 is a general-purpose microcontroller, widely used in Internet of Things (IoT) applications. For high-security environments, we recommend developers incorporate external entropy sources and dedicated secure elements, in addition to following best hardware and software design practices."
The company also states that it is working on firmware updates to mitigate the identified vulnerabilities, including improvements to the random number generator and Bluetooth interface security. However, Espressif emphasizes that the ultimate responsibility lies with hardware wallet manufacturers, who must implement these updates and design their devices with additional layers of protection.
