Your Bluetooth Devices Might Be Spying on You – And It’s Not Even Your Fault

Written By Noel Bradford

Because Who Needs Security in a Billion Devices, Right?

Oh, the joys of modern technology! We fill our homes, offices, and even our bathrooms with smart devices because, well, why not? Smart speakers, fitness trackers, baby monitors, doorbells—you name it. They all make life a little easier. But guess what? One of the most widely used Bluetooth chips in the world has some hidden, undocumented commands that could let hackers waltz right in.

Yep, you read that right. A billion devices could be at risk because of a flaw buried inside a tiny but powerful chip called the ESP32. And the best part? Nobody was even supposed to know about it.

Meet the ESP32: The Tiny Chip That’s Everywhere

If you’ve got a smart gadget that connects via Bluetooth or Wi-Fi, chances are, it's running on an ESP32 chip. This little microcontroller is cheap, reliable, and crammed into everything from smart home devices to industrial equipment and even some medical tech.

Manufacturers love it because it makes their gadgets cheaper to produce. Security, however? That’s apparently more of an afterthought.

Surprise! Your Bluetooth Device Has a Secret Backdoor

So, what exactly is the problem? Well, researchers at Tarlogic Security found that the ESP32 has a bunch of hidden commands built into its Bluetooth system. These weren’t in the official documentation (because why tell people important things?), but they’re there—and they can be exploited.

These hidden commands could allow someone to:

  • Mess with your device’s memory (because nothing says fun like an uninvited hacker digging through your data).

  • Send and receive Bluetooth signals in “special” ways (i.e., pretend to be something they’re not).

  • Run unauthorized code on your device (a hacker’s dream come true).

Imagine your Bluetooth speaker suddenly spying on you, or your smart lock letting in a stranger. Sound far-fetched? Well, considering hackers already exploit badly secured IoT devices every single day, it’s really not.

Oh, But Don’t Worry—The Manufacturer Says It’s Fine

Naturally, Espressif Systems, the company behind the ESP32, insists that this is all totally fine and nothing to be alarmed about.

Their explanation? These commands were only meant for debugging. Nothing to see here, folks. Nothing at all.

Oh, and they also say that hackers can’t use them remotely—unless, of course, they already have access to the device. Which totally makes us feel better.

Can This Actually Affect You?

Short answer? Yes. Long answer? It depends.

If you own any smart device that relies on an ESP32 chip, you could be at risk. The problem is, most people have no idea what chips are inside their devices, so there’s no easy way to tell. And unless manufacturers rush to patch this (spoiler: many won’t), a billion devices could remain vulnerable.

How to Protect Your Smart Devices (Without Losing Your Mind)

Alright, so what can you actually do to stay safe? Here are a few realistic steps:

  1. Update Your Devices – If your smart gadget gets a firmware update, install it. It might patch this issue.

  2. Turn Off Bluetooth When You Don’t Need It – The less time it’s on, the fewer opportunities hackers have to exploit it.

  3. Use Strong Passwords – Some smart devices let you set passwords. If yours does, make sure it’s not ‘123456’ or ‘password’ (yes, people still do this).

  4. Keep Smart Devices on a Separate Network – If your router allows you to create a guest network, use it for your IoT gadgets. That way, if one gets hacked, it’s less likely to spread to your important devices.

  5. Monitor for Weird Behavior – If your smart speaker randomly starts talking or your smart lock unlocks itself, you’ve got bigger problems.

Final Thoughts: This Is Why We Can’t Have Nice Things

Look, we love our smart devices. But security in the Internet of Things (IoT) world is like an afterthought at best and a joke at worst. Companies focus on making stuff cheap and shipping it fast. The result? A billion devices running on a chip with hidden, hackable features.

So next time your Bluetooth gadget asks to "update," maybe don’t ignore it. Or, you know, go full paranoid and start unplugging everything. Your move.

Noel Bradford

Noel Bradford – Head of Technology at Equate Group, Professional Bullshit Detector, and Full-Time IT Cynic

As Head of Technology at Equate Group, my job description is technically “keeping the lights on,” but in reality, it’s more like “stopping people from setting their own house on fire.” With over 40 years in tech, I’ve seen every IT horror story imaginable—most of them self-inflicted by people who think cybersecurity is just installing antivirus and praying to Saint Norton.

I specialise in cybersecurity for UK businesses, which usually means explaining the difference between ‘MFA’ and ‘WTF’ to directors who still write their passwords on Post-it notes. On Tuesdays, I also help further education colleges navigate Cyber Essentials certification, a process so unnecessarily painful it makes root canal surgery look fun.

My natural habitat? Server rooms held together with zip ties and misplaced optimism, where every cable run is a “temporary fix” from 2012. My mortal enemies? Unmanaged switches, backups that only exist in someone’s imagination, and users who think clicking “Enable Macros” is just fine because it makes the spreadsheet work.

I’m blunt, sarcastic, and genuinely allergic to bullshit. If you want gentle hand-holding and reassuring corporate waffle, you’re in the wrong place. If you want someone who’ll fix your IT, tell you exactly why it broke, and throw in some unsolicited life advice, I’m your man.

Technology isn’t hard. People make it hard. And they make me drink.

https://noelbradford.com
Previous

Fake CAPTCHAs Are Now Malware Traps – Because Of Course They Are!
Next

DrayTek Disaster: Why Your Business Wi-Fi Just Became a Cybersecurity Liability