Attackers can use undocumented commands to hijack Chinese-made Bluetooth chips
Security researchers have shared details of newly discovered, undocumented commands in ESP32 Bluetooth firmware that can be exploited by an attacker. The Chinese-made chip is found in millions of devices, meaning the findings are significant.
Speaking at RootedCON in Madrid, researchers from Tarlogic Security, Miguel Tarascó Acuña and Antonio Vázquez Blanco, described the “hidden functionality” they have unearthed as a backdoor, but later conceded that this may be a misleading description. They warn that exploitation could allow “hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls”.
See also:
- Microsoft is ready to create more annoyance by rolling out OneDrive ads to Office users
- You will soon be able to run Linux Terminal on your Android phone
- Microsoft adds incredible audio and video file conversion tools to PowerToys v0.89.0
The ESP32 chip is incredibly inexpensive, and this accounts for its widespread use. The manufacturer of the hardware, Espressif, has reported over one billion units have been sold, and a common usage is in IoT devices. The undocumented commands can be executed from macOS, Windows and Linux, opening up numerous starting points for an attack.
While initially described as a “backdoor” the undocumented commands were later described as having “hidden functionality”. The change in language stems from the fact that individual commands do not themselves pose a risk -- although the list of commands has yet to be published, for obvious reasons.
The issue is being tracked as CVE-2025-27840 where it has the following description:
Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory).
The discovery came as part of a wider investigation into the Bluetooth standard. As part of this research, a security auditing tools have been developed, as the security firm explains:
Tarlogic’s Innovation Department has developed BluetoothUSB, a driver that allows security tests and attacks to be implemented to achieve complete security audits on all kinds of devices regardless of the operating system or programming language and without the need for a wide variety of hardware to carry out all the tests in an audit, all free of charge.
BluetoothUSB aims to facilitate development and democratize access to the tools needed to analyze the security of the Bluetooth standard in millions of IoT devices. Thanks to this software, it is possible for manufacturers to develop tools to perform their tests on all kinds of Bluetooth gadgets.
The researchers’ findings can be read in full here (Spanish)
Image credit: Tarlogic Security