Recent revelations from Spanish professionals indicate that there are significant security vulnerabilities in the ESP32 microcontrol chip produced in China. These vulnerabilities could potentially be exploited by hackers to execute attacks and gain control of other devices. The ESP32 chip, known for its low cost, is widely used in over one billion Internet of Things (IoT) devices globally.
The Internet of Things is a system where computing devices, mechanical and digital machines are interconnected, capable of transmitting data over a network without the need for human interaction, commonly used in transportation, logistics, industrial manufacturing, healthcare, smart environments, and more.
Researchers Miguel Tarascó Acuña and Antonio Vázquez Blanco from Tarlogic Security in Spain discovered that the Chinese manufacturer, Espressif, producing the Bluetooth and Wi-Fi supporting microcontrol chip ESP32, contains numerous hidden commands with security issues.
Tarlogic Security stated, “The ESP32 microcontroller enables Wi-Fi and Bluetooth connections, present in millions of IoT devices on the market. Hackers could exploit these undisclosed commands for impersonation attacks, bypassing code review mechanisms, leading to permanent infections on smartphones, computers, smart locks, medical devices, and other sensitive equipment.”
Using their security audit tool BluetoothUSB, Tarlogic Security researchers unexpectedly found 29 undisclosed hidden commands in the ESP32 chip, belonging to the Host Controller Interface (HCI), during security testing on various Bluetooth devices.
These hidden commands allow hackers to execute memory operations (read/write RAM and flash memory), MAC address spoofing (device impersonation), LMP/LLCP data packet injection attacks, and even plant malicious software to take control of smartphones, computers, smart locks, or medical devices.
Researchers cautioned that even in offline mode, hackers could impersonate known devices to launch attacks, steal confidential information, or use devices for surveillance purposes. These functionalities may have been utilized for stealing confidential data, personal and business conversations, or monitoring citizens or companies.
Espressif has never documented the existence of these commands in official documents, leading researchers to suspect intentional concealment or developmental negligence. The security vulnerability has been officially assigned the CVE-2025-27840 identifier and added to the tracking list.
Tarlogic Security urged users to conduct Bluetooth security audits to detect potential backdoors and vulnerabilities that could be exploited, recalling the exposure of similar risks with the 2023 BlueTrust vulnerability, allowing Bluetooth devices to identify and link to each other to infer personal data.
Due to the low cost of ESP32 chips, priced at only 2 euros (about 2.18 dollars), they have become one of the most widely used Wi-Fi and Bluetooth connectivity chips in the market. Espressif stated in a September 2023 announcement that the chip was popular worldwide, with one billion IoT devices currently using it.
ESP32 is one of the main products of Chinese company Espressif, with major partners including Baidu, Xiaomi, Amazon, potentially affecting hundreds of millions of users with these security issues.
University of Waterloo in Canada previously developed a Wi-Peep device using ESP32 and ESP8266 low-power Wi-Fi modules and regulators to exploit Wi-Fi vulnerabilities in smart devices within buildings for device location tracking.
Espressif Technology, founded in 2008 and currently listed on the Shanghai Sci-Tech Innovation Board, launched its IPO in 2019 at a price of 62.6 RMB (about 8.65 USD), with a closing price of 227.25 RMB (about 31.4 USD) on March 14 this year.
According to well-known cybersecurity forum Bleeping Computer, if attackers gain Root access (superuser permission for Android devices), implant malicious software or push malicious updates, they can exploit ESP32 to control other devices.
Researchers explained to Bleeping Computer that “attackers can use ESP32 to invade IoT devices, conduct Bluetooth or Wi-Fi attacks on other devices, and control those devices via Wi-Fi/Bluetooth. Additionally, due to the persistent vulnerabilities in such chips, they could serve as attack gateways and spread to other devices.”
Espressif Technology issued a statement on March 10 denying Tarlogic Security’s findings. They claim that the hidden commands in the ESP32 chip are for testing and debugging purposes only, do not support remote access, do not impact device security, and assured to provide software fixes to remove these unrecorded commands in the future.
A user named “ESP_Sprite,” claiming to be an employee of Espressif, stated on the company’s English forum on March 8 that most issues could be resolved by updating firmware, while other issues would require exploiting additional vulnerabilities. There is currently no evidence to verify Tarlogic Security’s findings.
Japanese computer engineer Kiyohara Jin expressed concerns, stating that “the Chinese Communist Party is known for imitating others’ products, then inserting backdoor programs once they crack the technology. Many hackers are trained by the Chinese Communist Party and continually exploit these backdoors for hacking to steal important secrets and personal information from other countries.”
“The Chinese Communist Party invests heavily across all sectors, not just in chips and software, essentially leaving its shadow in every field. Therefore, it is recommended to avoid purchasing chips or products associated with the CCP background, as they can easily be exploited by the CCP for eavesdropping or personal data theft,” he warned.