On April 16, we reaffirmed from our official X BlockStream account, a company dedicated to developing Bitcoin (BTC) infrastructure (BTC) and cryptocurrency, that the vulnerability discovered last March would not reach the device created by its company, Jade Wallets.
The repetition by Blockstream occurred because, according to the team behind the company, “theme has resurfaced again.” The vulnerability in question was detected in an ESP32 microcontroller manufactured by the Espressif system used by some wallet hardware to store Cryptoactives, including Jade. At the level of these chips, they discovered security obstacles that could violate user funds. According to Jade’s creative company, the vulnerability does not affect your wallet as it works with an approach to the entropy layer.
(Jade) Extract randomness from multiple sources. User input CPU temperature sensor battery status image RNG encryption hardware completion application.
Blockstream, creator of Bitcoin Wallet Jade.
For that part, other wallet hardware that can be connected to an Electrum wallet can also be at risk. Wallets that enable features such as Bluetooth and Wi-Fi connections using the ESP32 allow you to configure and operate wallets from mobile devices, placing them at the heart of concerns deriving from vulnerabilities.
Brands like Trezor and Ledger that use Safe Element Chips (SE) are out of reach of this threat, as they do not include the ESP32 microcontroller.
Where is this vulnerability?
The ESP32 microcontroller is a low-cost, highly-usable component known for its The ability to connect via Bluetooth and Wi-Fi. His popularity in open source projects led to him being adopted in several wallet hardware. This is a physical device designed to store private keys offline and is protected from digital attacks.
However, reports published by Crypto Deep Tech Researchers,Bitcoin Bluetooth Attack’ (attack on Bitcoin via Bluetooth) revealed a critical vulnerability to the safety of ESP32, which takes the risk of Bitcoin wallets and other crypto-active risks using these microcontrollers.
According to the source, The fault lies in the random number generator ESP32 (PRNG) indicates insufficient entropy. Entropy is a cryptographic context that measures the randomness of a system. Insufficient entropy random number generators generate such predictable sequences. Encourages attackers to guess private keysfor example, a large random number used in the Bitcoin ECDSA algorithm to sign transactions.
As the report explains, “The low entropy of ESP32’s PRNG allows attackers to predict generated private keys and can undermine the safety of funds stored in wallet hardware that rely on this chip.”
Additionally, the report highlights that ESP32 Bluetooth connectivity amplifies risk. The attacker can Use this interface to carry out a remote attackaccess the device without the need for physical contact. This vulnerability is revealed by two major weaknesses in ESP32: the random number generator and the Bluetooth interface.
For example, according to Crypto Deep Tech, a previous vulnerability in the ESP32 Bluetooth protocol is associated with a set of failures known as Braktooth (discovered in 2021), You can run arbitrary code and compromise the memory of your device.
For wallet hardware, this can be converted to the ability to sign an illegal transaction and empty the user’s funds.
Does Bluetooth failure mean robbery only in short distances?
The Bluetooth Low Energy (BLE) used by the ESP32 has a standard range of 10-100 meters in ideal conditions, depending on factors such as signal power, physical obstacles (walls, furniture), and environment (electromagnetic interference).
In real-world scenarios such as public places (cafeteria, airports), the attacker must be within this range to interact with the wallet hardware.
However, attackers can extend the range of attacks beyond 100 meters using directional antennas or Bluetooth signal amplifiers. In previous documented experiments such as those related to Bluetooth vulnerabilities (e.g., Braktooth), Scopes can be extended to hundreds or kilometers with advanced hardwaredrones equipped with a long range Bluetooth adapter and transception.
This means that the attacker is not necessarily “short distance” in the daily meaning (for example, a few meters). It may work from a camouflaged mobile device in a parked vehicle, nearby building, or public space.
Furthermore, defects found in ESP32 are not limited to immediate exploitation via Bluetooth. Attackers can compromise wallet hardware using Bluetooth as the initial vector. Establish a permanent attack channel.
An attacker within Bluetooth range can load firmware committed to ESP32. This firmware is programmed to send private keys or recovery seeds over Wi-Fi to a remote server (if enabled), or even if the wallet later connects to another device. In this case, fund theft can occur all the time after the initial attack without the need for continuous proximity.
Espressif Systems response
Espressif Systems, the company behind ESP32, issued a statement in March addressing concerns about microcontroller safety. The company recognizes ESP32 Not specifically designed for advanced security applicationsaccording to the cryptocurrency wallet request. However, he defends that the chip may be safe if additional measures are implemented by device manufacturers.
In a statement, Espressif explained that «ESP32 is a general purpose microcontroller and is widely used in Internet of Things applications (IoT). For advanced security environments, it is recommended that developers incorporate external sources of entropy and dedicated secure elements.
The company also notes that it is working on firmware updates to mitigate identified vulnerabilities. Random number generator improvements Bluetooth interface safety. However, Espressif emphasizes that the ultimate responsibility is to wallet hardware manufacturers who need to implement these updates and design their devices with additional protection layers.
Visual Wallet Hardware: Jade, Electrum, Exceptions
Despite the reported vulnerabilities, BlockStream has confirmed that its wallet is not vulnerable to the attacks described. A message was published on April 16, 2025 from the company’s official X account. This protects Jade with a specific hardware configuration.
According to BlockStream, the vulnerable cleanup interface for ESP32 is not active even in open source compilations in Jade V1, and is completely absent in the Jade Plus version.
Meanwhile, Electrum-based wallets, open source software for managing and storing BTC, can also be affected when running on devices with ESP32 built into them. Electrum is known for its flexibility that allows users to integrate with custom hardware. Wallet DIY hardware projects using ESP32 (do it yourself) can compromise chip vulnerabilities Generated Private Key Security.
Some of the wallet hardware that uses the ESP32 microcontroller and connects to Electrum include Bowser and Wallet DIY based on LNBIT.
On the other hand, major brands such as Trezor and Ledger are not affected by this obstacle as they do not rely on ESP32. These wallet hardware use secure element (SE) chips, microcontrollers designed for encryption applications. Isolated environment for private key generation and storagerandom number generators are certified and have resistance to physical and remote attacks.
However, the safety factors are not exempt from other issues. As Cryptootics recently reported, research revealed that the Trezor Safe 3 model can modify software to introduce malicious code if it is physically stolen or manipulated by a person.
(TagStoTranslate) BlockStream (T) Cryptocurren
