For those who came in late, the ESP32 microchip is a low-cost, low-power system-on-chip (SoC) developed by the Chinese outfit Espressif Systems, widely used in IoT and embedded systems. It is known for its Wi-Fi and Bluetooth capabilities, making it a favourite for developers and hobbyists.

Spanish researchers from Tarlogic Security revealed at RootedCON in Madrid that the ESP32’s hidden commands allow attackers to spoof trusted devices, access sensitive data, pivot across networks, and establish persistent malware infections on everything from smart locks to medical equipment. In other words, it’s a hacker’s dream and a security nightmare. 

Tarlogic’s investigation uncovered 29 secret vendor-specific commands within the ESP32’s Bluetooth firmware, allowing low-level memory manipulation, MAC address spoofing, and packet injection.

These backdoor-like functions, accessed via Opcode 0x3F, grant attackers raw control over Bluetooth traffic, bypassing standard OS security layers. 

Espressif, the Chinese firm behind the ESP32, has yet to explain whether this was an oversight or a deliberate backdoor. Either way, security professionals are left wondering how many IoT devices are at risk—and whether firmware updates will be enough to contain the damage.

This revelation could have far-reaching consequences because the ESP32 is everywhere, from consumer gadgets to critical infrastructure.