Millions of Smart Locks and Other Gadgets at Risk of Hack – Hidden Backdoor Found in Popular Bluetooth Chip

A hidden backdoor vulnerability has been discovered in the popular ESP32 wireless controller from the Chinese company Espressif, which is installed on more than a billion devices. This small loophole, which almost no one knew about, allows attackers to impersonate trusted devices, steal data and gain a foothold in the system for a long time, essentially forever.

Image source: bleepingcomputer.com

Two Spanish researchers, Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security, decided to dig deeper and discovered that the chip contains commands that allow for various malicious actions. For example, impersonating trusted devices, stealing data, and even penetrating other devices through the network. In short, a full set of spy tools. Tarlogic Security presented its findings at the RootedCON conference in Madrid, BleepingComputer reports.

ESP32 is a microcontroller responsible for Wi-Fi and Bluetooth connections. It is built into smart locks, medical devices, smartphones and computers. The discovered “backdoor” allows attackers to impersonate other systems and infect devices, bypassing all security checks. In fact, a smart lock can open not to the owner, but to a stranger, not to mention such “simple” things as theft of personal information.

Image source: Tarlogic

The researchers also noted one important point. Interest in Bluetooth security has declined in recent years. However, this is not because the protocol has become more secure, but because last year’s attacks either did not have working tools or used outdated software that was incompatible with modern systems. To study the problem, Tarlogic developed a new operating system-independent Bluetooth driver in C. It allows direct interaction with the hardware without relying on standard APIs. This allowed them to access Bluetooth traffic and discover hidden commands (Opcode 0x3F) in the ESP32 firmware.

In total, 29 commands were identified that can safely be called a backdoor. With their help, it is possible to manipulate memory, forge MAC addresses, and inject LMP/LLCP packets – in general, perform almost any malicious actions.

Image source: Tarlogic

Espressif has not yet commented on the situation or explained the origin of these commands. One can only guess whether they were left by accident or intentionally. However, the problem exists and has already received the identifier CVE-2025-27840.