Security researchers have blown the lid off a potentially major issue. The widely-used ESP32 chip, found in over a billion devices worldwide, contains 29 hidden commands that could potentially compromise security. Yeah, that tiny chip powering your smart thermostat or IoT gadget? Not as secure as you thought.
Researchers from Tarlogic Security presented their findings at RootedCON in Madrid. They discovered undocumented commands that allow serious low-level control of Bluetooth functions. Read and write memory. MAC address spoofing. Packet injection. Pretty serious stuff for a chip that’s practically everywhere these days.
The implications aren’t small. These commands could theoretically enable device impersonation, unauthorized data access, and even pivoting to other network devices. Worse, they might allow attackers to establish long-term persistence. Security audits? Useless if they’re not checking for commands nobody knew existed.
Espressif Systems, the manufacturer, was quick to respond. They clarified these aren’t “backdoors” but debugging features. Not remotely accessible. The issue has been assigned CVE-2025-27840 with a medium severity score of 6.8. Can’t be triggered via Bluetooth. Just internal tools. They’re working on a software fix and pointed out the chip’s existing security features like secure boot. Convenient explanation? You decide.
Tarlogic developed a tool called BluetoothUSB as part of their research. It’s hardware-independent, cross-platform, and gives raw access to Bluetooth traffic. Pretty much how they found these hidden gems in the first place. The team employed their innovative BSAM methodology for systematically auditing Bluetooth device security, which proved crucial in uncovering these hidden features.
The revelation has rippled through the industry. IoT security is already a concern, and this discovery doesn’t help. It’s sparked debate about what constitutes a backdoor versus a debugging feature. The line seems pretty blurry.
The ESP32 is in everything from smart home devices to industrial sensors. Millions of devices. Billions maybe. And they all might need updates. Small businesses are particularly vulnerable to these types of threats, with 60% shutting down within six months after experiencing a cyber attack. The good news? Newer ESP chip series apparently don’t have these issues. Small comfort for the billion devices already out there. Just another day in IoT security.
