News

Security Researchers Warn of Vulnerabilities in Millions of IoT Devices

Security researchers have found undocumented Bluetooth commands in the ESP32 chip, posing potential risks for millions of IoT devices and prompting urgent security considerations

Agencias

March 12, 2025
Updated: March 12, 2025 at 8:49 AM

Security Researchers Warn of Vulnerabilities in Millions of IoT Devices

Security researchers have identified undocumented commands in the Bluetooth firmware of the ESP32 chip, which could potentially be exploited by attackers, highlighting a significant vulnerability in a product used in millions of Internet of Things (IoT) devices.

Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security presented their findings at RootedCON in Madrid, initially referring to the commands as a “backdoor”.

However, they later clarified that the term may not accurately describe the nature of the issue, as the individual commands themselves do not inherently pose a risk.

🔷 A backdoor in the ESP32 chip would allow it to infect millions of devices. Miguel Tarascó and @antonvblanco have revealed this at the @rootedcon this backdoor and presented a tool to perform Bluetooth security audits on any gadget.https://t.co/Q646g8s1vS
— Tarlogic (@Tarlogic) March 6, 2025

Can be executed across multiple operating systems, including macOS, Windows, and Linux

The ESP32 chip, manufactured by Espressif, has gained immense popularity, with over a billion units sold globally. Its widespread deployment in IoT devices amplifies the potential impact of the discovered vulnerabilities.

The specific issue has been classified under the identifier CVE-2025-27840, revealing access to 29 hidden Host Controller Interface (HCI) commands, including critical operations such as 0xFC02, which enables memory writing.

This raises concerns that hostile actors could leverage these commands to conduct impersonation attacks and compromise sensitive devices, including mobile phones, computers, smart locks, and medical equipment by circumventing code audit measures.

After receiving concerns about the use of the term 'backdoor' in the company's announcement to describe undocumented commands in Espressif's ESP32 microchips, we have updated our title and story.https://t.co/Kit73LSCM0
— BleepingComputer (@BleepinComputer) March 9, 2025

These undocumented commands can be executed across multiple operating systems, including macOS, Windows, and Linux, presenting numerous vectors for potential attacks. In response to these findings, Tarlogic’s Innovation Department has created BluetoothUSB, a driver designed to facilitate comprehensive security audits of Bluetooth devices, regardless of the operating system or programming language employed.

This development aims to democratize access to essential security analysis tools, offering manufacturers a resource to ensure the safety of their Bluetooth-enabled products.

The details of this discovery, which are currently under further examination, underscore the pressing need for robust security practices in the design and implementation of IoT devices as vulnerabilities continue to proliferate.