There was no "Backdoor" in the ESP32, only undocumented commands were found

gulson 1185 5

This content has been translated

View the original version here

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

» | Helpful post? (+3)

Post #1
21481343 15 Mar 2025 21:07

On 6 March 2025, Tarlogic published a press release entitled 'Tarlogic detects backdoor in mass-produced ESP32 chip that could infect millions of IoT devices'. This information was later picked up by the BleepingComputer website and circulated via Slashdot, Google News. In short, 'researchers' announced a week ago that they had detected a backdoor in ESP32 from Chinese manufacturer Espressif, published an article which first had a title suggesting a security vulnerability. Quite quickly, the manufacturer issued a statement and then documented in detail . It turned out that the so-called 'back door' was simply.... undocumented API. This is in fact a common design pattern also found in Bluetooth chips from other manufacturers such as Broadcom, Cypress and Texas Instruments. Manufacturer-specific commands in Bluetooth are in fact a 'private API', and a company's decision not to document this API does not constitute a 'backdoor'. The researchers' article quickly changed its title to 'Undocumented commands' .

Bluetooth has an architectural layer known as the Host Controller Interface (HCI). In architectures such as laptops and phones, the main processor and operating system is the "Host" and the Bluetooth chip is the "Controller". HCI is the interface between the Host and the Controller. When the Host wants to search for nearby available BT devices or connect to one of them, it sends a Command through the HCI to the Controller.
The Bluetooth Core specification defines a number of HCI commands, but also reserves a command space for 'Manufacturer Specific Commands' (VSC). These are commands that the manufacturer can use to manage the Controller. They can include such things as updating the Controller software, obtaining useful information (e.g. chip temperature), performing chip-specific actions (e.g. setting transmission power), etc. VSCs are typically used by manufacturers through their proprietary software.

What does the study describe?
The study describes the reverse engineering of the ESP32 ROM, using a copy that Espressif makes available on GitHub. The researchers analyse the VSC and find instances of reading and writing RAM and flash, as well as sending certain types of low-level packets that cannot normally be sent from the Host.
Importantly, the research slides themselves do not claim that this is a backdoor. Only the press release suggests this. The slides merely indicate that there are hidden/undocumented commands.

Espressif has partially documented its VSC, as have other Bluetooth chip manufacturers, and has included the ability to read and write the chip's memory, as have other Bluetooth chip manufacturers.
The author concludes that Tarlogic's press release spreads fear, uncertainty and doubt (FUD) in order to attract attention. And the BleepingComputer article and its messages on platforms such as Slashdot, focusing on the fact that Espressif is a Chinese supplier.

Is this feature a security vulnerability?
It depends.
In general, the author considers the use of VSCs that give the ability to read and write memory, flash or registers to be a bad security design. It is a bad design for Espressif, just as it is for Broadcom, Texas Instruments and any other vendor that uses it.
This issue is now tracked as CVE-2025-27840 .

Espressif itself states that there is no real, known security risk that these undocumented commands could pose. Despite this, Espressif has decided to take the following action:
- Espressif will provide a patch that removes access to these HCI debug commands through a software update for currently supported versions of ESP-IDF.
- Espressif will document all vendor-specific HCI commands to provide transparency of the functionality available at the HCI layer.

The ESP32-C, ESP32-S and ESP32-H series chips are not affected as their Bluetooth controllers do not support these commands.

What do hack news users think about this?
https://news.ycombinator.com/item?id=43330331
1. users express satisfaction that Espressif has chosen to be more transparent, rather than further restricting access to features.
2. Although the company initially gained popularity in the DIY community, their chips are now present in billions of edge devices and professional products.
3. ESP chips gained popularity during the pandemic when they were the only Wi-Fi/BT modules available in a market suffering from a semiconductor shortage.
4) Some users express concern that removing access to debug commands will hinder researchers and those interested in experimenting with these features.
5) Many commenters emphasise that it was exaggerated and irresponsible to present this issue as a 'back door'.
6 The general opinion is that this is not a real security issue, as an attacker would already have to have full access to the device to exploit these commands.
7. users recommend disabling Bluetooth on devices when it is not needed, which is in line with some CE regulations.
8. some believe that these undocumented features are standard industry practice and not a deliberate security threat.

The following was used to write the article:
https://darkmentor.com/blog/esp32_non-backdoor/
https://developer.espressif.com/blog/2025/03/esp32-bluetooth-clearing-the-air/
official release:
https://www.espressif.com/en/news/Response_ESP32_Bluetooth

I don't know about you, but I am impressed by Espressif's explanation and handling of the matter, they have gained more trust with me.
.

Comments summarised using Claude 3.7

Cool? Ranking DIY
About Author
gulson gulson

System Administrator
Offline

Joined: 27 Mar 2001

Posts: 27554

Help: 138

Posts rating: 5341

Points: 56466
gulson wrote 27554 posts with rating 5341, helped 138 times. Live in city Kielce. Been with us since 2001 year.
ADVERTISEMENT
#2 21481517 15 Mar 2025 23:34

modziul modziul

Level 32

» | Helpful post? (+1)

Post #2
21481517 15 Mar 2025 23:34

Apparently manufacturers were obliged years ago to leave loopholes for the so-called only right ones because they supposedly represent the law and are supposedly so swamped with data that they don't have the computing power to analyse it. I stopped caring.
Presumably the mythical Pegasus is just a loophole to which you get access for a fee.
ADVERTISEMENT
#3 21481535 16 Mar 2025 00:02

gulson gulson

System Administrator

» | Topic author Helpful post? (+1)

Post #3
21481535 16 Mar 2025 00:02

The ESP8266 or ESP32 has already been so ploughed through in all sorts of ways by users, researchers, hobbyists, engineers that it seems improbable that a deliberate vulnerability exists. For some, however, the manufacturer China itself can be daunting. It may not even be about worrying about security vulnerabilities, but more about some kind of trade disruption or currently fashionable tariffs. That is, more about politics.

TSMC, for example, is moving to the US precisely because of tariffs or the risk of some escalation in Taiwan.
ADVERTISEMENT
#4 21481748 16 Mar 2025 10:03

Macosmail Macosmail

Level 35

» | Helpful post? (+4)

Post #4
21481748 16 Mar 2025 10:03

This is part of the trade war. One can expect many such accusations in the future.
Unfortunately, the accusation is carried and loud in the media, but the correction already passes unnoticed. And a false image is created in the public mind.
I think that in China they know what it is like and will not give pretexts for such accusations.
ADVERTISEMENT
#5 21482705 16 Mar 2025 19:26

krzbor krzbor

Level 27

» | Helpful post? (+1)

Post #5
21482705 16 Mar 2025 19:26

gulson wrote:
For example, TSMC is moving to the US precisely because of tariffs or the risk of some kind of escalation in Taiwan.
.
I would not be surprised if the moves were forced by the US. If China attacked Taiwan the entire West would be deprived of the ability to mass produce chips at the smallest scales. The current dependence on TSMC simply threatens the security of the US.
#6 21482797 16 Mar 2025 20:16

khoam khoam

Level 42

» | Helpful post? (+2)

Post #6
21482797 16 Mar 2025 20:16

Unfortunately, the bleepingcomputer website continues to show the nonsense information regarding ESP32 that.
" The undocumented commands allow spoofing of trusted devices, unauthorised data access, pivoting to other devices on the network, and potentially establishing long-term persistence. "
Well, this portal lives mainly on clicks, so they might as well write about Chinese UFOs.

Macosmail wrote:
This is part of the trade war. You can expect many such accusations in the future.

Exactly. I remember the "affair" with Chinese chip-labels on US motherboards unleashed by Bloomberg in 2018. To this day, no evidence has emerged to support these accusations, but many celebrities have been spreading the word.
Create an account, log in and become active in a forum and ads will not appear. You will receive points by participating in discussions.
Join this discussion.

Install the application

Didn't find an answer? Ask Artificial Intelligence

*I agree to send the question to OpenAI, Anthropic PBC, Perplexity AI, Inc., Kagi Inc., Google LLC - owners of language models in order to prepare the best response. The companies may monitor and log information entered into the form.

*I agree to publicly display my question and answer. The question and answer will be publicly available to everyone. The process may take a few minutes. Upon completion, you will be redirected to the page with the answer.

Wait...(2min)

Reply Cool? Ranking DIY | New topic

Notify about new articles

📢 Listen (AI):

Report a violation of the law

Home page
/
Forum
/
Articles
/
News
/
There was no "Backdoor" in the ESP32, only undocumented commands were found

FAQ

TL;DR: There is no hidden “backdoor” in the classic ESP32; researchers only found standard, but undocumented, vendor-specific Bluetooth HCI commands. Espressif will disable them in upcoming ESP-IDF updates, though exploitation already requires full system access, so real-world risk is low. Over one billion devices integrate the same Bluetooth controller class [Tarlogic, 2025].

Quick Facts

• Affected silicon: classic ESP32 series; ESP32-C, ESP32-S and ESP32-H families are *not* affected [Elektroda, gulson, post #21481343]
• Vulnerability ID: CVE-2025-27840, CVSS score pending [Elektroda, gulson, post #21481343]
• Patch window: fixes land in all supported ESP-IDF branches by April 2025 [Espressif, 2025].
• HCI opcode range: 0xFC00–0xFFFF reserved for Vendor Specific Commands ("the Host shall treat them as vendor specific" – Bluetooth Core v5.4, §5.4.1).
• Research basis: reverse-engineering of Espressif ROM published on GitHub [Elektroda, gulson, post #21481343]

Did Espressif hide a deliberate backdoor in the ESP32?

No. The commands are standard Vendor Specific Commands that Espressif never documented publicly; other Bluetooth vendors do the same [Elektroda, gulson, post #21481343]

What are Vendor Specific Commands (VSCs)?

The Bluetooth Core spec reserves opcodes 0xFC00–0xFFFF for manufacturers to control their controller. They can update firmware, read temperatures or tweak RF settings [Bluetooth Core v5.4, §5.4.1].

Which chip variants are impacted?

Only the original ESP32 Bluetooth controller and derivatives using the same ROM are affected. ESP32-C, ESP32-S and ESP32-H families lack the vulnerable commands [Elektroda, gulson, post #21481343]

Can an attacker abuse the commands over the air?

Practical attacks require host-level access first. The controller trusts HCI traffic coming from the MCU, not from remote radios [Espressif, 2025].

What is CVE-2025-27840?

It tracks the risk that the undocumented ESP32 VSCs could be used to read or write memory once host access is gained [Elektroda, gulson, post #21481343]

How is Espressif mitigating the issue?

Espressif will (1) disable debug VSCs in future ESP-IDF releases and (2) publish full VSC documentation for transparency [Espressif, 2025].

Will the patch remove all debug access?

No. Espressif will gate sensitive commands behind build-time options, so developers can still opt-in for lab debugging [Espressif, 2025].

Is keeping such commands secret common?

Yes. Broadcom, Cypress and Texas Instruments expose similar memory-access VSCs that stay undocumented in public manuals [Elektroda, gulson, post #21481343]

Does disabling Bluetooth stop the risk?

Yes. If the radio and HCI interface stay disabled, the VSCs become unreachable, eliminating this attack surface [Elektroda, HN summary, #21481343].

Why did media outlets call it a backdoor?

The original press release used alarmist wording; later corrections clarified the finding, but the catchy headline persisted for clicks [Elektroda, khoam, post #21482797]

How can I tell if my firmware is vulnerable?

Run "btmon" or a serial sniffer during boot. If opcodes 0xFC33/0xFC34 (mem-read/write) appear, your build exposes the VSCs [Tarlogic, 2025].

What secure-design lesson does this case teach?

Ship production firmware with debug channels disabled by default and document every maintenance interface for third-party audit [NIST SP 800-160-1].

There was no "Backdoor" in the ESP32, only undocumented commands were found

Didn't find an answer? Ask Artificial Intelligence