#BTC

A popular microcontroller used in billions of IoT devices and crypto wallets contains serious bugs that threaten to steal bitcoins. This is reported by experts at Crypto Deep Tech.

The vulnerability, which received the identifier CVE-2025-27840 in the NIST database, affects the ESP32 chip used for Wi-Fi and Bluetooth connectivity. The bug allows attackers to permanently infect microcontrollers through updates, providing opportunities for future attacks.

Once compromised, attackers can unauthorizedly sign crypto transactions and remotely steal private keys.

The microcontroller installed in hardware wallets like Blockstream Jade also has insufficient entropy for the pseudo-random number generator (PRNG) used to create the transaction signature. This allows attackers to guess key pairs by direct selection.

In the course of experiments, experts tested the vectors of possible attacks through the identified bugs. Implementation of scripts allowed:

-to generate invalid private keys using PRNG flaws;

-to forge bitcoin signatures due to incorrect hashing;

-to extract private keys using small group attacks and manipulation of ECC cryptographic operations;

-to generate fake public keys through exploitation of Y coordinate ambiguity on the ECC curve.

In the research, Crypto Deep Tech experts used a real wallet with 10 BTC.$BTC