Can the ESP32 be trusted? Undocumented "backdoor" found in popular microcontroller

As per https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/ :

"At RootedCON, the Tarlogic Innovation team presents research revealing undocumented commands in the ESP32 microchip, present in millions of smart devices with Bluetooth

The cybersecurity company has designed a unique tool to perform security audits of Bluetooth devices on any operating system
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls."

bluetooth vulnerability

(source: https://x.com/Tarlogic/status/1897584096135581721)

I always suspected that Bluetooth was vulnerable in some manner, but for the ESP32 to have something shady about it is astonishing. If you're interested in cyber security you should check out Tarlogic's github repositories and X feed.

Top Replies

Parents

JWx 6 months ago

After quick examination it seems less severe than hyped:

If this is that one: CVE-2025-27840 "Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory)." they have discovered an undocumented API between user code and bluetooth component...

nvd.nist.gov/.../CVE-2025-27840

It seems - after quick examination - similar to, for example "WiLink 8.0 Bluetooth® Vendor-Specific HCI Commands" by Texas Instruments, that also contain commands like "HCI_VS_Write_Memory_Block" or "HCI_VS_Read_Memory_Block"

The main problem here seems to be that it is not documented - but for example direct memory access for radio interface portion of the chip (in many cases beyond control of the programmer) can be really useful for open-source enthusiast/security minded engineers who hate opaque binary firmware blobs

Whole different story would be if HCI interface would be remotely accessible...
Cancel
Vote Up +7 Vote Down

Sign in to reply

Cancel

Reply

JWx 6 months ago

After quick examination it seems less severe than hyped:

If this is that one: CVE-2025-27840 "Espressif ESP32 chips allow 29 hidden HCI commands, such as 0xFC02 (Write memory)." they have discovered an undocumented API between user code and bluetooth component...

nvd.nist.gov/.../CVE-2025-27840

It seems - after quick examination - similar to, for example "WiLink 8.0 Bluetooth® Vendor-Specific HCI Commands" by Texas Instruments, that also contain commands like "HCI_VS_Write_Memory_Block" or "HCI_VS_Read_Memory_Block"

The main problem here seems to be that it is not documented - but for example direct memory access for radio interface portion of the chip (in many cases beyond control of the programmer) can be really useful for open-source enthusiast/security minded engineers who hate opaque binary firmware blobs

Whole different story would be if HCI interface would be remotely accessible...
Cancel
Vote Up +7 Vote Down

Sign in to reply

Cancel

Children

cstanton 6 months ago in reply to JWx

A better than expected outcome!
Cancel
Vote Up +1 Vote Down

Sign in to reply

Cancel
JWx 6 months ago in reply to cstanton

yes - they are used in many places and mayor security issue would be unfortunate...
Cancel
Vote Up 0 Vote Down

Sign in to reply

Cancel