In recent days, a news story has caused a stir in the tech community: “A backdoor has been discovered in the ESP32!”.
What many understood is that a huge security hole had been discovered when using ESP32’s Bluetooth, allowing malicious code execution, such as changing memory bytes or launching commands.
🚨 General alarm! 🚨 Is your product at risk? Can hackers control your smart devices? Or worse! Is the ESP32 you installed for your uncle Manolo to control his irrigation compromised? 😱
Well, calm down. As often happens in these cases, the reality is much less alarming than the headlines suggest (sorry to disappoint you 😆).
Let’s break down what really happened slowly, see why it’s not as serious as it seems, and what lessons we can learn from this episode.
🧠 What is HCI Mode in Bluetooth?
To understand why this is not a security problem as some have said, we must first understand how the Bluetooth protocol works (the protocol is quite more complicated than we usually think).
Specifically, one part of the specification is the HCI (Host Controller Interface) mode. It’s a way for a device without Bluetooth to use another to have it.
For example, a computer without BT, which uses a Bluetooth USB “dongle”.
In this HCI mode, the Bluetooth chip (the Controller) communicates with a more powerful device (the Host), like a computer or a mobile phone.
For this to work, the BT chip has to be specifically put into HCI mode. Then it communicates with the Host, via a physical cable (UART, USB, etc…).
For communication, the Host sends commands to the Controller to perform actions like scanning devices, connecting to them, or updating the firmware.
These commands can be:
- Standard → Defined by the Bluetooth protocol.
- Vendor-specific → (Vendor-Specific Commands, VSCs), used for internal functions like debugging or advanced configuration.
🔎 What happened?
It all started with research at the RootedCon 2025 conference, where the ESP32 firmware was analyzed, specifically its Bluetooth implementation.
The researchers discovered undocumented HCI (Host Controller Interface) commands that allow reading and writing to the Bluetooth controller’s memory.
👉 It is very common for devices to have undocumented commands. In fact, they are common in other Bluetooth chips like those from Broadcom, Cypress, and Texas Instruments.
In the research presentation, they were called “undocumented commands”. However, later in a press release, they got carried away and called it “the discovery of a backdoor”.
And of course, the news quickly went viral, especially in specialized media, and ended up reaching social networks. 🤔 An exaggeration? A bit of clickbait? It might be (in my opinion, yes).
Something must have been up because, after the community’s reaction, the statement was rectified. The term “backdoor” was changed back to the original, “undocumented functions” (which is a much more accurate description).
🚫 Why is it NOT a backdoor?
The key here is to understand that this is not a malicious backdoor, but rather internal commands that are not publicly documented. This is common practice in the industry.
👉 Other manufacturers like Broadcom and Texas Instruments also have undocumented VSC commands that allow similar operations, such as reading and writing to the controller’s memory.
For these commands to represent a real risk, several conditions must be met:
🛡️ The ESP32 must be in HCI mode: This is not the default mode in most devices.
🔌 It must be physically wired to the Host: It is not possible to exploit these commands wirelessly (OTA).
🔑 The Host must have root access: If the Host is already compromised, the security problem is much more serious than these commands.
In other words, if an attacker could execute these commands, they already had total control over the system (well, this is the least of your problems).
The undocumented commands are not the cause of the problem, but rather another tool that an attacker who has already compromised the system could use, following a previous security flaw.
👉 Let’s give an example
To make it clear, to understand, let’s use a (made-up) parallel example: imagine a non-documented Linux command was discovered that, when executed, tells you the installed Linux version.
To execute it, you need physical access (to the machine’s keyboard) and an administrator user account.
🧑💻 Your least problem is being able to run a command to know the version. You already had the guy in your house, sitting at the computer keyboard, he could do whatever he wanted!
🤡 Why has the news been exaggerated?
First of all, it must be made very clear that the term backdoor has very negative connotations, especially in the context of computer security.
It suggests an intentional and malicious vulnerability, which is absolutely not the case here (and we should be responsible when making these accusations).
Not even if it had been a huge mistake (which it isn’t), would it be a backdoor. It would be a zero-day exploit or whatever… but it’s not a backdoor.
And why would someone exaggerate a news story like this?
- Out of ignorance.
- Due to a misunderstanding.
- Or due to a combination of media sensationalism and an attempt to draw attention to research that, although interesting, is not as impactful as it was made to seem.
Furthermore, the fact that Espressif is a Chinese manufacturer may have contributed to spreading the “backdoor” narrative, given the current geopolitical context and concerns about security in devices manufactured in China (or for the lols).
I’m not going to comment on politics. But I’ve read things on social media like “you can’t trust the Chinese.” And this is not a technical reason to incorrectly accuse a company of installing a backdoor in its products.
🚀 Lessons learned
Although this case does not represent a serious threat, it does leave us with some important lessons:
- 📖 The importance of documentation: Manufacturers should better document their internal commands, especially those that could have security implications.
- 🎯 The responsibility of researchers: It is crucial that research is communicated accurately and without sensationalism.
- 🔒 Security is a continuous process: This case is a reminder that security is not a state, but a constant process.
In summary, there is no backdoor in the ESP32. What has been discovered are undocumented HCI commands that, although interesting from a technical point of view, do not represent a threat to most users.
As a community, we must continue to promote transparency and rigor in security research,… but also be critical of the news we consume and share.
Security is a serious topic, and addressing it responsibly is key to building a safer and more reliable technological ecosystem (how beautifully I’ve put it 🌈).
👉 If you want to read more, I leave you these articles:
