[German]A very unpleasant story that security researchers from Tarlogic Security have just revealed. There is a set of unknown commands that could be misused as a backdoor in a popular chip that has been built into millions of devices to support BlueTooth and WiFi connections.
Advertising
What we are talking about?
Millions of smartphones, computers, smart locks, medical devices and IoT devices contain an ESP32 microcontroller that is used to handle WiFi and Bluetooth connections.
Security researchers from Tarlogic Security have discovered during an analysis that this microcontroller supports an undocumented instruction set that has escaped previous audits. This instruction set could be misused as a backdoor.
The Tarlogic Security report
Tarlogic Security has developed a tool (BluetoothUSB) to perform security audits of Bluetooth devices under various operating systems. Tarlogic BluetoothUSB is a driver that can be used to implement security tests and attacks to achieve complete security audits on all types of devices regardless of operating system or programming language and without the need for a variety of hardware to perform all tests in one audit.
During tests, security researchers discovered undocumented commands in the ESP32 microchip, which is installed in millions of (IoT) devices. Tarlogic discovered hidden manufacturer-specific commands (opcode 0x3F) in the ESP32 Bluetooth firmware that enable low-level control over Bluetooth functions.
The microcontroller, which costs around 2 US dollars, enables WiFi and Bluetooth connections and is installed in almost all of the devices mentioned above. Security researchers refer to the hidden function in the form of undocumented commands as a "backdoor in the ESP32". By exploiting these commands, this backdoor makes it possible to carry out so-called "impersonation attacks" and permanently infect sensitive devices such as cell phones, computers, intelligent locks or medical devices by bypassing the code audit controls.
Advertising
In this way, malicious actors could impersonate known devices to connect to cell phones, computers and smart devices, even if they are in offline mode, it says. In this way, attackers can gain access to confidential information stored on the devices. This could provide access to personal and business conversations in order to spy on citizens and companies.
Spanish security researchers Miguel Tarascó Acuña and Antonio Vázquez Blanc published their findings at RootedCON in Madrid (slides here) and also published an articleTarlogic detects a hidden feature in the mass-market ESP32 chip that could infect millions of IoT devices on March 6, 2025.
Bleeping Computer seems to have obtained additional information about the undocumented commands and described them in this post. A total of 29 undocumented commands were found that allow memory manipulation (read/write of RAM and flash), MAC address spoofing (device identification) and LMP/LLCP packet injection.
There is now CVE-2025-27840 for this 29 commands not documented by Espressif in its ESP32 chip. The base score is classified as 6.8 (Medium). However, it is unclear to me how users can protect themselves from exploitation and whether there is a firmware update from the manufacturer that removes this vulnerability in devices.
Advertising
To run the commands you need to connect a special console/debug cable to the chip. This is a storm in a glass of water. The researchers even retracted parts of their statements.