Recently, some media have reported on a press release initially calling out ESP32 chips for having a “backdoor”. Of note is that the original press release by the Tarlogic research team was factually corrected to remove the “backdoor” designation. However, not all media coverage has been amended to reflect this change. Espressif would like to take this opportunity to clarify this matter for our users and partners.

What was found

The functionality found are debug commands included for testing purposes. These debug commands are part of Espressif’s implementation of the HCI (Host Controller Interface) protocol used in Bluetooth technology. This protocol is used internally in a product to communicate between Bluetooth layers.

Key clarification points

• Internal Debug Commands: These commands are meant for use by developers and are not accessible remotely. Having such private commands is not an uncommon practice.
• No Remote Access: They cannot be triggered by Bluetooth, radio signals, or over the Internet, meaning they do not pose a risk of remote compromise of ESP32 devices.
• Security Impact: While these debug commands exist, they cannot, by themselves, pose a security risk to ESP32 chips. Espressif will still provide a software fix to remove these undocumented commands.
• Scope: If ESP32 is used in a standalone application and not connected to a host chip that runs a BLE host, the aforementioned HCI commands are not exposed and there is no security threat.
• Affected Chipsets: These commands are present in the ESP32 chips only and are not present in any of the ESP32-C, ESP32-S, and ESP32-H series of chips.

Espressif's commitment

Espressif has always prioritized security and is actively working on continuous product security improvements. We have a Product Security Incident Response Process, which has been in place since 2015. This program offers a bug bounty, encouraging researchers to collaborate with us to discover and fix potential issues, enhancing the security of the entire ecosystem.

Espressif also extends its gratitude to the security research community for promptly clarifying that the disclosure does not constitute a backdoor. Their responsible disclosures and continued support have been invaluable in helping users accurately assess the security implications and maintain the integrity of their connected devices. 

At the same time, we recommend that users rely on official firmware and regularly update it to ensure their products receive the latest security patches. Should you have any questions, please feel free to contact Espressif’s official support channels.