Major Backdoor in ESP32 Bluetooth Chip Affects One Billion Devices

Security researchers at Tarlogic Security have uncovered a critical vulnerability in the ESP32 microcontroller that could allow cybercriminals to infiltrate IoT devices with malicious code and steal sensitive data. This chip, which enables Bluetooth and Wi-Fi connectivity, is found in billions of devices worldwide.

Hidden Commands Discovered in Popular Chip

Tarlogic Security researchers have identified an undocumented backdoor in the ESP32 microcontroller manufactured by Espressif Systems. According to Espressif, over one billion units of this chip have been sold globally. The researchers warn that cybercriminals exploiting this backdoor could perform identity attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks, and medical equipment by bypassing code audit controls.

How the Backdoor Enables Data Theft

The security team used their proprietary Bluetooth Security Assessment Methodology (BSAM) to analyze multiple Bluetooth devices. This methodology aims to standardize security assessments for devices using Bluetooth technology. Their investigation revealed that the ESP32 chip—priced at approximately two euros and therefore present in the vast majority of Bluetooth IoT devices—contains hidden commands not documented by the manufacturer. These commands potentially allow malicious actors to arbitrarily modify the chips, unlock additional functions, install malware, and steal digital identities from affected devices.

With this access, cybercriminals could conduct device impersonation or spoofing attacks by creating fake Bluetooth devices that masquerade as legitimate ones. When a user connects to such a device, attackers can intercept keyboard inputs like passwords, banking details, or personal messages. There’s also the danger of unauthorized remote control of devices, with attackers secretly activating microphones or cameras. Beyond laptops and mobile phones, the vulnerability affects digital door locks and medical devices as well.

Protecting IoT Devices

Tarlogic has not disclosed whether they informed chip manufacturer Espressif about the hidden functions. However, the researchers detailed a tool called “BluetoothUSB” in their report, which they developed for conducting security tests on Bluetooth devices. The company introduced this free tool at RootedCON, held in Madrid from March 6-8, 2025. BluetoothUSB aims to simplify security audits by allowing them to be performed independently of the operating system and programming language of the tested device.

Even without security audits, both private users and companies employing IoT devices can take measures to protect themselves:

• Update firmware regularly
• Use strong passwords and encryption, being particularly careful to check default settings: create new passwords and disable unnecessary functions
• Restrict access to your devices by only allowing trusted devices and users

Widespread Impact on Consumer Electronics

The ESP32 chip has become ubiquitous in consumer electronics due to its low cost and versatility. Found in everything from smart home devices and wearables to industrial sensors and automotive systems, the vulnerability potentially affects a vast ecosystem of connected products. The two-euro price point has made it particularly attractive to manufacturers looking to add wireless connectivity to their products without significantly increasing production costs.

Espressif Systems, headquartered in Shanghai, has established itself as a leading provider of low-cost, high-performance wireless communication chips. The company’s ESP32 series has been widely adopted by both hobbyists and commercial product developers, making this backdoor discovery particularly concerning for the broader IoT security landscape. As more devices become connected, such fundamental security flaws could have cascading effects across multiple industries that have embraced IoT technology without thoroughly vetting the security implications of their component choices.