Tarlogic Security has uncovered a hidden feature in the widely used ESP32 microcontroller, which could allow cybercriminals to exploit millions of Internet of Things (IoT) devices worldwide. The discovery, presented at the RootedCON cybersecurity conference, raises concerns about potential security threats in smart devices that rely on Bluetooth and WiFi connectivity.
Millions of IoT Devices at Risk
The ESP32 microcontroller, developed by Espressif Systems, is one of the most widely used chips in smart devices globally. It is present in products ranging from smart locks and medical devices to mobile phones and industrial systems. The affordability of the ESP32, available for as little as €2, has made it a popular choice among manufacturers, with over a billion units sold worldwide.
Tarlogic’s researchers discovered undocumented commands within the ESP32 chip that allow arbitrary modifications, enabling attackers to inject malicious code or impersonate trusted devices. This vulnerability could allow hackers to:
- Bypass security controls in Bluetooth-enabled IoT devices
- Gain unauthorized access to mobile phones, computers, and smart home systems
- Steal sensitive information and spy on users
These hidden commands could potentially be leveraged in supply chain attacks, allowing backdoors to be embedded in devices before they even reach consumers.
Tarlogic’s Solution to Strengthen Bluetooth Security
To address vulnerabilities like the one found in the ESP32, Tarlogic has introduced BluetoothUSB, a new security tool designed to audit Bluetooth devices across different operating systems.
Presented at RootedCON, the world’s largest Spanish-language cybersecurity conference, BluetoothUSB enables manufacturers and security professionals to test Bluetooth security comprehensively, removing barriers related to hardware and software limitations.
Tarlogic’s Director of Innovation, Miguel Tarascó, emphasized that BluetoothUSB aims to democratize security testing, making it accessible for manufacturers, cybersecurity firms, and researchers. The tool will allow organizations to identify weaknesses before they can be exploited by malicious actors.
Ongoing Research and Industry Collaboration
Tarlogic has been at the forefront of Bluetooth security research, previously revealing BlueTrust, a vulnerability that allows Bluetooth devices to be linked and tracked, potentially exposing personal data. In 2024, the company launched BSAM, the first comprehensive methodology for Bluetooth security audits, designed to help companies detect vulnerabilities before they become widespread threats.
The company has worked closely with IoT manufacturers to develop more secure devices, strengthening protection against identity theft, fraud, and cyberattacks.
Clarification on ESP32 Security Risks
Following the release of its findings, Tarlogic clarified that the undocumented features in the ESP32 chip should be classified as “hidden features” rather than a “backdoor”. However, the ability of these proprietary HCI commands to allow memory modifications means they could still be weaponized in supply chain attacks or stealth cyber intrusions.
The company has stated that it will publish further technical details in the coming weeks to help industry stakeholders understand the risks and implement better security defenses for Bluetooth-connected devices.
Also read: Tata Electronics, PSMC, Himax to Build Display Unit
Implications for the Future of IoT Security
As IoT devices become increasingly integrated into daily life, security flaws in widely used components like the ESP32 microcontroller pose serious risks. Cybersecurity firms and device manufacturers will need to work together to ensure that vulnerabilities do not compromise user safety or data privacy.
Tarlogic’s research underscores the importance of proactive security audits and transparent security measures in IoT manufacturing. With tools like BluetoothUSB, the industry now has a stronger framework to identify and mitigate risks before they can be exploited at scale.
