A hidden ESP32 feature could let attackers spoof devices, steal data, and install malware. With IoT security at stake, what does this mean for millions of connected devices?

Tarlogic Security has uncovered a hidden functionality in the ESP32, a widely used microcontroller that supports Wi-Fi and Bluetooth connectivity in millions of IoT devices.
This undocumented feature, if exploited, could allow attackers to impersonate legitimate devices and install persistent malware on critical systems, including smartphones, computers, smart locks, and medical equipment. By bypassing standard code audit controls, malicious actors could potentially compromise sensitive devices at scale.
Cybercriminals could exploit these hidden commands to conduct impersonation or spoofing attacks. By creating fake Bluetooth devices that mimic legitimate ones, attackers could trick users into connecting, allowing them to intercept keystrokes, passwords, banking details, and personal messages.
Beyond data theft, unauthorised remote control of devices is also a concern, with attackers potentially activating microphones or cameras unnoticed. The risk extends beyond smartphones and laptops—digital door locks and medical devices could be compromised.
Espressif, the manufacturer of the ESP32, acknowledges the existence of these hidden commands but states that they are intended for debugging purposes. According to the company, these commands are part of the host controller interface (HCI) protocol used in Bluetooth communication and are typically used for internal testing.
While debugging tools are standard in Bluetooth controllers, the presence of undocumented commands raises concerns about potential security risks and unauthorised access.
This vulnerability affects many ESP-based devices due to its origin in the Bluetooth HCI layer. While most ESP development boards and Bluetooth-enabled devices are at risk, some remain unaffected, like IndusBoard (which features an advanced ESP32 chip but does not use its Bluetooth function). Likewise, devices such as the IndusBoard ESP32-S2, which lack Bluetooth, are secure.
That said, the actual impact on users remains unclear. One key question is how these commands are executed—whether they require a malicious firmware update to trigger them, in which case the firmware itself could pose a greater risk. Many microcontroller manufacturers, including TI and others, also include test commands, but they are typically documented.
These undocumented ESP32 commands may serve a similar purpose. Given the widespread use of ESP32-based devices, further investigation will likely reveal more details soon.
How to Protect Yourself from Bluetooth Security Risks |
Backdoors and security flaws in Bluetooth devices can be exploited if not detected early. Conducting Bluetooth security audits is crucial to prevent potential threats. • Use security tools. Many existing tools are outdated or require specialised hardware. BluetoothUSB by Tarlogic simplifies security audits across all devices, regardless of the operating system. • Keep track of your device. Always know where your phone or laptop is, especially in public spaces. Set up a Find My Device service to remotely lock a lost phone. • Avoid Bluetooth for sensitive data. Never transfer passwords or important files over Bluetooth unless encrypted first. • Turn off Bluetooth when not in use. This minimises attack risks and saves battery life. By following these steps, you can reduce vulnerabilities and improve Bluetooth security. |
Protecting Against Security Risks
Oops! This is an EFY++ article, which means it's our Premium Content. You need to be a Registered User of our website to read its complete content.
Good News: You can register to our website for FREE! CLICK HERE to register now.
Already a registered member? If YES, then simply login to you account below. (TIP: Use 'forgot password' feature and reset and save your new password in your browser, if you forgot the last one!)