A security firm has made headlines with the claim that Espressif’s popular ESP32 family of wireless microcontrollers, used in millions of devices worldwide, has a “backdoor” which could be exploited to perform impersonation attacks and more. But, thankfully, the reality is a lot less exciting.
Late last week security firm Tarlogic issued a press release based on work their researchers had presented at the RootedCon security conference. While the presentation made no such claim, Tarlogic’s original release stated that its researchers had “detected a backdoor” in Espressif’s ESP32 microcontroller range – a claim which, if true, would put millions of commercially-sold devices, plus innumerable tinkerers’ projects, at risk of attack.
The researchers had found, the presentation explains, a series of undocumented commands in the ESP32’s Bluetooth radio hardware which they said enable “modifying the chip arbitrarily to unlock additional functionalities, infecting these chips with malicious code, and even carrying out attacks of identity theft of devices.”
The company’s claims led to a flurry of panicked headlines, but thankfully the issue appears to have been somewhat overblown. “What the researchers highlight (vendor-specific HCI commands to read & write controller memory) is a common design pattern found in other Bluetooth chips from other vendors as well, such as Broadcom, Cypress, and Texas Instruments,” Xeno Kovah, of rival security firm Dark Mentor LLC, explains in an analysis of the issue. “Vendor-specific commands in Bluetooth effectively constitute a ‘private API [Application Programming Interface]’, and a company’s choice to not publicly document their private API does not constitute a ‘backdoor.'”
The commands in question can only be accessed over a particular interface on the microcontroller, used for connecting it to an external host device as a Bluetooth or Wi-Fi communications coprocessor. In order to exploit them, an attacker must already be able to run arbitrary code on the host device – meaning the actual security impact of the instructions, documented or otherwise, is extremely low.
Espressif is clear that while the commands both exist and are not mentioned in public-facing documentation, there’s no nefarious purpose behind them, and denies they represent any form of backdoor access system. “The functionality found are debug commands included for testing purposes,” a spokesperson tells us. “These debug commands are part of Espressif’s implementation of the HCI (Host Controller Interface) protocol used in Bluetooth technology. This protocol is used internally in a product to communicate between Bluetooth layers.
“These commands are meant for use by developers and are not accessible remotely. Having such private commands is not an uncommon practice. They cannot be triggered by Bluetooth, radio signals, or over the Internet, meaning they do not pose a risk of remote compromise of ESP32 devices.”
Using these commands, the company explains, requires that the ESP32 chip or module in question is being used as a communications coprocessor by an external host; if it’s running the whole show itself, as is the case for many Internet of Things devices from smart thermostats to lighting systems, the commands are entirely inaccessible.
Despite this Espressif has committed to releasing a software fix that will disable the commands, though, at the time of writing, has not issued a timescale for its availability. The company has also confirmed that “these commands” are only accessible in original-series ESP32 parts, and not in the later ESP32-C, ESP32-S, and ESP32-H series – though has not said whether equivalent but as-yet undiscovered debugging instructions are present in other models across its range.
Tarlogic, for its part, still refers to these commands as having the potential for exploitation by malicious attackers but has walked back its earlier “backdoor” designation, stating that “it is more appropriate to refer to the presence of proprietary HCI commands – which allow operations such as reading and modifying memory in the ESP32 controller – as a ‘hidden feature’ rather than a ‘backdoor'”. The company still, however, maintains that “these commands could facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks,” and promises a technical report to follow.
For now, though, it seems IoT users, makers, tinkerers, and embedded developers can stand down from high alert – and await the promised software update from Espressif to remove access to the hidden instructions entirely.
Stay Informed, Save Big, Make More
Get our bi-weekly newsletter for the latest 3D printing news, deals, and guides.
We do not share your information! You can unsubscribe at any time.
By subscribing you agree to our Privacy Policy.
Read more recent news:
License: The text of "Espressif Denies ESP32 Backdoor, Will Remove ‘Debug Commands’ Anyway" by All3DP is licensed under a Creative Commons Attribution 4.0 International License.