Hidden Commands Uncovered in Bluetooth Chip Utilized in a Billion Devices

Uncategorized Mihnea


### Security Weakness in Bluetooth Chip Threatens Over a Billion Devices

Cybersecurity experts have discovered a possible security issue that may affect over one billion devices internationally.

Professionals at the cybersecurity company [Tarlogic](https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/) have located an unlisted command embedded in a popular Bluetooth chip. This concealed feature, present in devices around the world, could be exploited by malicious individuals to gain unauthorized entry.

By taking advantage of these secret commands, hackers could disguise themselves as trusted devices, enabling them to connect to smartphones, computers, and various other electronics. Once connected, attackers could gather sensitive information and even track users’ activities remotely.

### The At-Risk Bluetooth Chip

The chip in question, referred to as ESP32, is manufactured by the China-based company Espressif. It acts as a microcontroller, facilitating both WiFi and Bluetooth connections. In 2023, Espressif announced having sold over one billion units of the ESP32 chip, which is frequently utilized in different IoT devices, including smart home gadgets.

### Capitalizing on the Concealed Commands

Tarlogic states that these unrecorded commands could facilitate impersonation attacks, enabling hackers to penetrate vital devices such as smartphones, computers, smart locks, and even medical equipment. By circumventing security assessments, attackers could secure ongoing access to compromised devices.

To identify these weaknesses, researchers at Tarlogic created a specialized Bluetooth driver tool, which aided them in locating 29 concealed functionalities within the chip. These functions could be exploited to mimic trusted devices and gather confidential data.

### Why the ESP32 Chip Is So Popular

One factor contributing to the widespread use of the ESP32 chip is its low cost. Espressif offers these Bluetooth chips for around $2, making them an economical option for manufacturers compared to pricier alternatives.

### Monitoring the Security Challenge

As reported by [BleepingComputer](https://www.bleepingcomputer.com/news/security/undocumented-commands-found-in-bluetooth-chip-used-by-a-billion-devices/), this security weakness has been officially logged under the identifier [CVE-2025-27840](https://nvd.nist.gov/vuln/detail/CVE-2025-27840).

With billions of devices potentially exposed to risk, cybersecurity professionals urge manufacturers and users to remain alert and adopt essential security protocols to reduce potential threats.