Espressif's Response to Undocumented Commands in ESP32 Bluetooth by Tarlogic

I know tech reporting has gone downhill, but I was really surprised by how badly this minor issue was overhyped.. articles with titles like "Hidden Backdoor Discovery Could Expose 1 Billion Bluetooth Devices To Hackers" coming out even yesterday. It's a stretch to even call this a back door.

<a href="https:&#x2F;&#x2F;developer.espressif.com&#x2F;blog&#x2F;2025&#x2F;03&#x2F;esp32-bluetooth-clearing-the-air&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.espressif.com&#x2F;blog&#x2F;2025&#x2F;03&#x2F;esp32-bluetooth...</a><p>This is a more detailed and informative link than the press release above:<p>&gt; <i>Espressif will provide a fix that removes access to these HCI debug commands through a software patch for currently supported ESP-IDF versions</i><p>&gt; <i>Espressif will document all Vendor-specific HCI commands to ensure transparancy of what functionality is available at the HCI layer</i>

That&#x27;s about the right response. These don&#x27;t expose a command across a security boundary. You can only exercise them if you&#x27;re already executing arbitary code on the main CPU core.<p>Honestly the original Tarlogic report was so irresponsible that I have to wonder if Espressif is considering legal action.<p>Note btw that the linked press release points to the more detailed blog post explaining the architecture: <a href="https:&#x2F;&#x2F;developer.espressif.com&#x2F;blog&#x2F;2025&#x2F;03&#x2F;esp32-bluetooth-clearing-the-air&#x2F;" rel="nofollow">https:&#x2F;&#x2F;developer.espressif.com&#x2F;blog&#x2F;2025&#x2F;03&#x2F;esp32-bluetooth...</a>

It it possible to create firmware that is encrypted and cannot be read out. Espressif state there is no security issues, but I have a feeling that these debug commands may be used to read out the flash of a properly secured esp32 that otherwise would not be possible…

Previously discussed <a href="https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43330331">https:&#x2F;&#x2F;news.ycombinator.com&#x2F;item?id=43330331</a>

It&#x27;s crazy that this got as much attention in the first place

This is more concise and clearer. Their first one mocked them being called undocumented, putting it in quotes, when they were in fact undocumented. The main point is that if malicious software has access to these commands, it has access to the rest of the system already so this is the least of your problems (if I understand this correctly).