Are there any plans for firmware updates for the ESP32 vulnerabilities?
To summarize, for most ESP32 applications, we do not foresee any impact from the reported issue provided the product has the recommended platform security features enabled. For a small number of Bluetooth HCI serial use-cases, we can mitigate the issue by disabling debug commands and we will provide an update on that front soon.
Thanks so much for the immediate response!
1 Like
I'm thinking this is actually not the major threat that was reported... Still, the sad reality is that I'd guess the vast majority of networking devices have some potential to be hacked. Which is why ALL IoT devices in my home run on dedicated networks that are isolated from my other devices.
The ESP32 Bluetooth Backdoor That Wasnât | Hackaday
Effectively, [Xeno] makes the point that VSCs are a standard feature in Bluetooth controllers, which â like most features â can also be abused. [Tarlogic] has since updated their article as well to distance themselves from the âbackdoorâ term and instead want to call these VSCs a âhidden featureâ.
03/09/2025 Update:
We would like to clarify that it is more appropriate to refer to the presence of proprietary HCI commandsâwhich allow operations such as reading and modifying memory in the ESP32 controllerâas a âhidden feature â rather than a âbackdoor .â
The use of these commands could facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks. Over the coming weeks, we will publish further technical details on this matter.
1 Like