In recent days, a news story has circulated that has caused a stir in the tech community: “A backdoor has been discovered in the ESP32!”.
What many have understood is that a huge security hole has been found when using the ESP32’s Bluetooth, allowing malicious code to be executed, such as changing memory bytes or launching commands.
🚨 General alarm! 🚨 Is your product at risk? Can hackers control your smart devices? Or worse! Is the ESP32 you put in your uncle Manolo’s garden for irrigation compromised? 😱
Well, calm down. As often happens in these cases, the reality is much less alarming than the headlines suggest (sorry to disappoint you 😆).
Let’s break down what has actually happened slowly, see why it’s not as serious as it seems, and what lessons we can draw from this episode.
🧠 What is the HCI mode in Bluetooth?
To understand why this is not a security problem as some have said, we first need to understand how the Bluetooth protocol works (the protocol is quite a bit more complicated than we usually think).
Specifically, a part of the specification is the HCI (Host Controller Interface) mode. It is a way for a device that does not have Bluetooth to use another device to have it.
For example, a computer without BT that uses a Bluetooth USB dongle.
In this HCI mode, the Bluetooth chip (the Controller) communicates with a more powerful device (the Host), such as a computer or a mobile phone.
For this to function, the Bluetooth chip must be specifically set to HCI mode. Then it communicates with the Host, via a physical cable (UART, USB, etc…).
For communication, the Host sends commands to the Controller to perform actions such as scanning for devices, connecting to them, or updating firmware.
These commands can be:
- Standard → Defined by the Bluetooth protocol.
- Vendor-Specific → (Vendor-Specific Commands, VSCs), used for internal functions such as debugging or advanced configuration.
🔎 What has happened?
It all started with research at the RootedCon 2025 conference, where the firmware of the ESP32 was analyzed, specifically its Bluetooth implementation.
The researchers discovered undocumented HCI (Host Controller Interface) commands that allow reading and writing to the memory of the Bluetooth controller.
👉 It is very common for devices to have undocumented commands. In fact, they are common in other Bluetooth chips such as those from Broadcom, Cypress, and Texas Instruments.
In the presentation of the research, they were referred to as “undocumented commands”. However, later in a press release, they got carried away and called it “the discovery of a backdoor.”
And of course, the news went viral quickly, especially in specialized media, and ended up reaching social media. 🤔 Excess? A bit of clickbait? Maybe (in my opinion, yes).
Something happened because, after the community’s reaction, the statement was corrected. The term “backdoor” was changed back to the original, “undocumented functions” (which is a much more accurate description).
🚫 Why is it NOT a backdoor?
The key here is to understand that this is not a malicious backdoor, but rather internal commands that are not publicly documented. This is a common practice in the industry.
👉 Other manufacturers like Broadcom and Texas Instruments also have undocumented VSCs that allow similar operations, such as reading and writing to the controller’s memory.
For these commands to represent a real risk, several conditions must be met:
- 🛡️ The ESP32 must be in HCI mode: This is not the default mode in most devices.
-🔌 It must be physically wired to the Host: It is not possible to exploit these commands wirelessly (OTA).
- 🔑 The Host must have root access: If the Host is already compromised, the security issue is much more serious than these commands.
In other words, if an attacker could execute these commands, they already had full control over the system (let’s be honest, this is the least of your problems).
The undocumented commands are not the cause of the problem but rather another tool that an attacker could use if they have already compromised the system, stemming from a prior security flaw.
👉 Let’s give an example
To make it clear, to understand it, let’s use a (made-up) parallel that an undocumented Linux command has been discovered that, when executed, tells you the installed version of Linux.
To execute it, you need physical access (to the machine’s keyboard) and an administrator user account.
🧑💻 Your lesser problem is that they can execute a command to find out the version. You already had the guy at home, sitting at the computer keyboard, they could do whatever they wanted!
🤡 Why has the news been exaggerated?
First of all, it should be made very clear that the term backdoor has very negative connotations, especially in the context of cybersecurity.
It suggests an intentional and malicious vulnerability, which is not the case here at all (and we should be responsible for making such accusations).
Even if it had been a glaring mistake (which it is not), it would not be a backdoor. It would be a zero-day exploit or whatever… but it is not a backdoor.
So why does someone exaggerate such news?
- Due to ignorance.
- Due to a misunderstanding.
- Or due to a combination of media sensationalism and an attempt to draw attention to research that, while interesting, is not as impactful as it was made to seem.
Additionally, the fact that Espressif is a Chinese manufacturer may have contributed to spreading the “backdoor” narrative, given the current geopolitical context and concerns about the security of devices made in China (or for the lols).
I am not going to opine on politics. But I have read on social media things like “you can’t trust the Chinese.” And this is not a technical reason to wrongly accuse a company of having a backdoor in its products.
🚀 Lessons learned
Although this case does not represent a serious threat, it does leave us with some important lessons:
- 📖 The importance of documentation: Manufacturers should better document their internal commands, especially those that could have security implications.
- 🎯 The responsibility of researchers: It is crucial that research is communicated accurately and without sensationalism.
- 🔒 Security is an ongoing process: This case is a reminder that security is not a state, but a constant process.
In summary, there is no backdoor in the ESP32. What has been discovered are undocumented HCI commands that, while interesting from a technical standpoint, do not pose a threat to most users.
As a community, we must continue to promote transparency and rigor in security research,… but also be critical of the news we consume and share.
Security is a serious matter, and addressing it responsibly is key to building a more secure and reliable tech ecosystem (how beautifully I have complained 🌈).
👉 If you want to read more, here are some articles: