A recent alert regarding a reported vulnerability (CVE-2025-27840) in the ESP32 chip used in many electronic devices, including some Bitcoin wallets, triggered concerns across the community.
Initial posts, including one from Protos (a site known for spreading misinformation about Bitcoin and Tether), suggested that Blockstream’s Jade hardware wallet was at risk, prompting widespread discussion about potential threats to users' private keys.
However, Blockstream, the maker of Jade, clarified that the wallet is not impacted by the issue.
In a public statement, the company said it had reviewed the vulnerability when it was first disclosed in early March and determined that Jade remained secure.
Blockstream previously addressed the matter in its community channels and recently reiterated its findings to quell renewed concerns.
The CVE was first reported in early March.
We reviewed it at the time, confirmed Jade was not affected, and addressed it in our community Telegram channel.
Since the topic is surfacing again, we’re resharing a summary.
For those interested, here’s Espressif’s technical…
— Blockstream (@Blockstream) April 16, 2025
Adam Back, CEO of Blockstream, responded directly to the claims, stating, “Jade is not at risk. None of what is said applies. This is an old report, so this is also old recycled news, mixed with some false claims for clicks. Stop wasting everyone's time.”
jade is not at risk. none of what is said applies. this is an old report, so this is also old recycled news, mixed with some false claims for clicks. stop wasting everyones time.
— Adam Back (@adam3us) April 17, 2025
Further technical discussion revealed that Jade's security architecture does not rely solely on the ESP32’s random number generator (RNG) for entropy when creating private keys.
Independent commentators, including Bitcoin-focused security analysts, noted that Jade supplements entropy by incorporating data from multiple sources such as radio frequencies, camera clicks, CPU counters, battery state, and ambient temperature.
The claim is about a Bluetooth low level interface that may be insecure in some circumstances however it isn't used at all by jade and isn't enabled in jade, and it never was, as such it can't be used or abused. And in jade plus it doesn't even exists. If it doesn't apply to jade…
— Lawrence Nahum (@LarryBitcoin) April 17, 2025
This approach ensures that even if the ESP32’s RNG were compromised, sufficient entropy would still exist to securely generate keys.
One user, known as “The ₿itcoin Pharmacist,” explained that even standalone sources like camera clicks could generate more than enough entropy for wallet security.
Appreciate pointing this out. I read more into it and it seems unlikely that this would pose a risk even IF the RNG does not have sufficient entropy.
Jade uses multiple sources of entropy including radio frequencies and camera clicks mixed in with the RNG. Seems those methods…
— The ₿itcoin Pharmacist (@bitcoinRPh) April 17, 2025
Following additional clarification, earlier posts expressing concern were deleted, with commenters acknowledging that Jade likely exceeds industry standards for entropy generation.
The original vulnerability report concerned undocumented Bluetooth Host Controller Interface (HCI) debug commands within the ESP32 chip, which Espressif, the chip’s manufacturer, clarified posed no direct security threat.
Espressif noted that these commands require full execution privileges on the device and cannot be triggered remotely via Bluetooth or internet attacks.
Moreover, later versions of the ESP32 chip family (such as ESP32-C, ESP32-S, and ESP32-H) are not affected.
Espressif has since pledged to further mitigate concerns by releasing software patches disabling access to the debug commands and by documenting all vendor-specific HCI commands for transparency.
While the ESP32 vulnerability itself is real and warrants attention for certain applications, current evidence indicates that Blockstream’s Jade wallet is unaffected and remains secure for users.