Stream: SIG-Embedded

Topic: esp32 backdoor

view this post on Zulip Ralph (Mar 10 2025 at 07:23):

Boy, this world is full of fun. https://www.bleepingcomputer.com/news/security/undocumented-backdoor-found-in-bluetooth-chip-used-by-a-billion-devices/

Undocumented commands found in Bluetooth chip used by a billion devices
The ubiquitous ESP32 microchip made by Chinese manufacturer Espressif and used by over 1 billion units as of 2023 contains undocumented commands that could be leveraged for attacks.

view this post on Zulip Kirp (Mar 10 2025 at 15:27):

Seem to have been downgraded to “hidden feature” now https://darkmentor.com/blog/esp32_non-backdoor/

The ESP32 "backdoor" that wasn't | Dark Mentor LLC
This post refutes the claim that researchers found a "backdoor" in ESP32 Bluetooth chips. What the researchers highlight (vendor-specific HCI commands to read & write controller memory) is a common design pattern found in other Bluetooth chips from other vendors as well, such as Broadcom, Cypress, and Texas Instruments. Vendor-specific commands in Bluetooth effectively constitute a "private API", and a company's choice to not publicly document their private API does not constitute a "backdoor".

view this post on Zulip Ralph (Mar 10 2025 at 16:03):

But remains a choice. Still, interesting. Thanks for the link!

view this post on Zulip Chris Woods (Mar 17 2025 at 23:10):

I used similar HCI commands while working for an ex-Microsoft Phone Vendor, to patch a TI Bluetooth chip; had to use the HCI extensions to patch the firmware on boot. It was a request from TI that we did that, if we didn't the chip would not allow the phone to pair with a Car.... fun times... That was around 2003/2004... wow, that was a while ago.. :)

Last updated: Dec 13 2025 at 17:03 UTC