Secret commands found in Bluetooth chip used in a billion devices

A potential security issue has been discovered by cybersecurity researchers that has the capability to affect more than one billion devices.

According to researchers at the cybersecurity firm Tarlogic, a hidden command has been found coded into a bluetooth chip installed in devices around the world. This secret functionality can be weaponized by bad actors and, according to the researchers, used as an exploit into these devices.

Using these commands, hackers could impersonate a trusted device and then connect to smartphones, computers, and other devices in order to access information stored on them. Bad actors can continue to utilize their connection to the device to essentially spy on users.

The bluetooth chip is called ESP32 and is manufactured by the China-based company Espressif. According to researchers, the ESP32  is "a microcontroller that enables WiFi and Bluetooth connection." In 2023, Espressif reported that one billion units of its ESP32 chip had been sold globally. Millions of IoT devices like smart appliances utilize this particular ESP32 chip.

Tarlogic researchers say that this hidden command could be exploited, which would allow  "hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls." Tarlogic says that these commands are not publicly documented by Espressif.

Researchers with Tarlogic developed a new Bluetooth driver tool in order to aid in Bluetooth-related security research, which enabled the security firm to discover a total of 29 hidden functionalities that could be exploited to impersonate known devices and access confidential information stored on a device. 

According to Tarlogic, Espressif sells these bluetooth chips for roughly $2, which explains why so many devices utilize the component over higher costing options.

As BleepingComputer reports, the issue is being tracked as CVE-2025-27840.