cross-posted from: https://programming.dev/post/26664400
Tarlogic developed a new C-based USB Bluetooth driver that is hardware-independent and cross-platform, allowing direct access to the hardware without relying on OS-specific APIs.
Armed with this new tool, which enables raw access to Bluetooth traffic, Tarlogic discovered hidden vendor-specific commands (Opcode 0x3F) in the ESP32 Bluetooth firmware that allow low-level control over Bluetooth functions.
In total, they found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection.
Espressif has not publicly documented these commands, so either they weren’t meant to be accessible, or they were left in by mistake. The issue is now tracked under CVE-2025-27840.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 124 users / day
- 1.05K users / week
- 1.3K users / month
- 4.58K users / 6 months
- 1 subscriber
- 3.55K Posts
- 89.5K Comments
- Modlog
The statement from Espressif:
https://www.espressif.com/en/news/Response_ESP32_Bluetooth
I don’t see a spooky name and a logo; this is a dud.
Not a backdoor, just undocumented commands on the hci. You would already need access to the device from the microcontroller side to leverage them. Also it’s not uncommon for older devices like this to have undocumented commands
Seems more like a feature considering how ESP32s are used.
They are in a lot of IoT devices that are not hobby and dev related too. Like my folk’s smoker grill has one that is also on a ridiculous AWS connection and designed to try and stay on 24/7 like proper stalkerware nonsense.
https://darkmentor.com/blog/esp32_non-backdoor/
There are a number of explanations for those Opcodes. Seems like quite a few knowledgeable peeps are wading in to explain what they think the researchers are seeing. The most open peer review ever!!