Recent reports have circulated concerning ESP32 chips, initially suggesting the presence of a “backdoor.” This claim originated from a press release by the Tarlogic research team, which has since been corrected to remove the term “backdoor.” Despite this correction, some media outlets have not updated their coverage. Espressif seeks to clarify the situation for its users and partners.
The reported issue involves debug commands designed for testing purposes within the ESP32 chips. These commands are part of Espressif’s implementation of the Host Controller Interface (HCI) protocol, a component used in Bluetooth technology for internal communication between Bluetooth layers. More information about this protocol can be found on Espressif’s technical blog.
There are several key points to understand about these debug commands. Firstly, they are intended for internal use by developers and cannot be accessed remotely. The use of such private commands is a common industry practice. Secondly, these commands cannot be triggered via Bluetooth, radio signals, or the Internet, meaning they do not present a risk of remote compromise to ESP32 devices. Thirdly, while these commands exist, they do not inherently pose a security risk to the chips. Espressif plans to release a software update to remove these undocumented commands.
The scope of the issue is limited. If the ESP32 is used in a standalone application without a connected host chip running a BLE host, the HCI commands are not exposed, posing no security threat. Furthermore, these debug commands are only present in the ESP32 chips and do not affect the ESP32-C, ESP32-S, or ESP32-H series.
Espressif remains committed to product security and is actively engaged in ongoing security improvements. They have established a Product Security Incident Response Process and a bug bounty program, active since 2017, to encourage collaboration with researchers in identifying and resolving potential security issues. Espressif appreciates the role of the security research community in clarifying that the disclosure does not constitute a backdoor, which helps users assess security implications accurately.
Espressif advises users to rely on official firmware and to regularly update it to receive the latest security patches.
For more information, users are encouraged to contact Espressif through their official support channels or check out Esressif’s press release here.
