Partner with usThis website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.
Backdoor in Espressif Bluetooth microcontroller – update
March 20, 2025
Researchers in Spain have uncovered hidden commands in a popular microcontroller used in the Internet of Things (IoT) ecosystem. The team at Tarlogic Innovation in Madrid recently presented their findings on the ESP32 integrated Bluetooth microcontroller from Espressif, a Chinese chip designer. This microcontroller, found in millions of smart devices, utilizes either the Tensilica LX7 core from Cadence Design Systems or a RISC-V core with an extended instruction set architecture developed in-house.
Espressif made headlines when it announced that its ESP32-C6 microcontroller had achieved PSA Certified Level 2 security certification. This certification marked a significant milestone as the ESP32-C6 became the first RISC-V-based product to attain such a high level of security certification. This achievement is expected to address potential vulnerabilities associated with the recently discovered hidden commands in the microcontroller.
According to Espressif, the hidden commands identified by Tarlogic are debug commands intended for testing purposes. These commands are part of the Host Controller Interface (HCI) protocol used in Bluetooth technology to facilitate communication between different Bluetooth layers within a product. Espressif clarified that these commands are meant for developers and are not accessible remotely. Furthermore, these private commands are specific to the ESP32 chips and are not present in other series of Espressif chips.
The team at Tarlogic initially raised concerns that these hidden commands could serve as a backdoor in existing ESP32 devices, potentially enabling malicious actors to conduct impersonation attacks. Exploiting this hidden functionality could allow attackers to infect sensitive devices like mobile phones, computers, smart locks, or medical equipment by bypassing standard code audit controls.
At a recent cybersecurity conference, Tarlogic presented their research findings, showcasing BluetoothUSB, a tool they developed for Bluetooth security audits. Through their methodology, the researchers identified hidden commands that could be used to modify chips, inject malicious code, or carry out identity theft attacks on devices. This discovery highlights the importance of robust security measures in IoT devices to prevent unauthorized access and potential attacks.
Sign up for HardwareBee
Recent Stories
