The ESP32 "backdoor" that wasn't

“This does not mean vendors are hiding anything or that the missing commands are backdoors. It just means they have chosen not to document all VSCs publicly for customers, and to keep some for internal use only.”<p>I think there’s merit to considering undocumented functionality a bad thing. It’s attack surface we should know about. Why should the chip maker reserve functionality for <i>their use</i> on a chip they sold <i>me</i>? I better get all of that.

The odd thing is, if true, the damage has been done. Few people will believe otherwise.<p>I know little about bluetooth and I kind of believe what this article says, the original did not seem &quot;right&quot; to me.<p>But, in reality, bluetooth security has no real meaning to me since I do all I can to avoid bluetooth :)

&quot;dark&quot; mentor? seriously? I think I saw that film in college.<p>All SoCs manufacturers that are Chinese companies in China are subject by Chinese Law to operate with immediate CCP oversight. This is an immutable and undenied fact. Period. End of Story. There are CCP officers running around the hallways of Allwinner&#x2F;RockChip and even fabless producers like Espressif, as well as small companies that use Western chips (from Intel, etc.) with their own BIOS and peddle online.<p>You have exactly two options: (a) Take the blue pill ..connection interrupted<p>Seriously, do not live in a false reality where you expect the government of any country hundreds with millions of people to feed will not fight tooth and nail in defense of their way system of doing that --using the same techniques of competing states and the latest technical capabilities at their disposal.<p>By the way, can I interest you in a lovely cell phone, my friend? No? How about a 100Mbps battery powered mobile satellite dish the size of a dinner plate? NO?! Maybe just a plain &#x27;ol receive-only pager --I hear they can be a blast!

Cue agenda...

TL;DR<p>The finding by Tarlogic is not suspect, aside from the potential ambiguity in the reporting word choice. Reporters are known for flair, and to drum up FUD outside author or researcher intention.<p>The finding is a undisclosed feature that supports backdoor capabilities without having the glue to call it a full backdoor (semantics imo).<p>Importantly, this is exactly how a clever individual would design a backdoor for plausible deniability and separation of concerns.<p>The fact that it was undisclosed and undocumented means it was secret, and not direct or honest with customers who purchased said devices. Each customer may have a very different threat landscape.<p>By longstanding Cambridge definition, this meets the term definition for a backdoor in general, though is not the working definition among cybersecurity professional contexts.<p>Of note, secrecy coupled with negligence is sufficient for general intent (i.e. malice) in many localities. Which also meets the author&#x27;s interpretation of the Wikipedia definition, though not the author&#x27;s conclusion.<p>The conclusions made in the article are nuanced, and not entirely wrong, but I don&#x27;t care for the doublespeak, it overgeneralizes and misleads sentiment of those who are without a working knowledge of the contexts involved.<p>Is this a backdoor in the cybersecurity context? The author says no, but it really comes down to the legal question, is it negligence if a customer can suffer loss because of an undisclosed undocumented secret in what they bought.<p>This depends, and deviates somewhat in practice and modern law, and I&#x27;m not an attorney (IANAL, not legal advice).<p>In western philosophy defects under common law can lead to legal claims and have remedy under a &#x27;rule of law&#x27;, when it is present.<p>There are modern loopholes that allow manufacturers to not perform the same due dilligence required of physical defects (i.e. disclaim liability for software defects), where it is impossible to remedy, made even moreso by international differences in law (US v. China).<p>Selling devices whose sole purpose is connectivity, where security cannot be managed does violate fundamental cybersecurity principles, and can be used in a classic poisoning the well, supply chain attack.<p>In my opinion, the researchers involved at Tarlogic provided great value in bringing this to the public&#x27;s attention.