With the recently announced backdoor found in all ESP32 chips, a list of the previously unknown and undocumented opcodes now exist.
In total, the research company found 29 undocumented commands, collectively characterized as a “backdoor,” that could be used for memory manipulation (read/write RAM and Flash), MAC address spoofing (device impersonation), and LMP/LLCP packet injection. Espressif has not responded to requests for an explanation.
It should be fairly straightforward to devise a scanning utility that looks for these opcodes, by searching for sequences that include reads, writes, and other access methods.
It’s quite possible those opcodes are undocumented for proprietary reasons or to safeguard access to underlying controls such as radio strength and protocols.
And before everybody panics: This is not a “backdoor” in the sense that you can use it to break into the chip and/or would allow some evil attacker to do horrible things to your ESP32.
It is, as @SpinCharm wrote, a set of undocumented opcodes. An API, if you will. This allows software that already runs on the device to do more things than before. Which is great, actually. It’s not a threat at all.
I guess that I hope the friendly hackers will test this out more. Post results showing what is possible in order to prevent hostile hackers from exploiting it.
Here’s the vector information if anyone’s curious:
CVE-2025-27840
3.1/AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
CVSS v3.1 Severity and Metrics:
Base Score: 6.8 MEDIUM
Vector: AV:P/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:L
Impact Score: 6.0
Exploitability Score: 0.3
Attack Vector (AV): Physical
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): None
Scope (S): Changed
Confidentiality (C): High
Integrity (I): High
Availability (A): Low
Notably, this requires physical access to the device. So, essentially, 1) don’t give people you don’t trust access to the ESP32 board, and 2) don’t install firmware you don’t know/trust.
So having translated the original presentation, it’s not really a backdoor at all. It’s a set of undocumented Bluetooth stack API calls that allow low-level control of the Bluetooth radio. Executing them requires direct access to the chip. The authors speculate that it might be possible to perform arbitrary BLE commands or execute code on an ESP32 connected as an HCI device to another host (presumably via serial or USB) if full control of the interface to the ESP32 is available, but do not mention any known exploits or identify any equipment in the wild that fits that description - and the vast majority of the ESPs out there definitely would not.
The main thrust of the presentation is the ability to use an ESP32 as hardware to perform sophisticated Bluetooth attacks (presumably as a white hat) - just like a Flipper Zero but maybe at a lower cost - and more readily available.
They’ve already backed up a bit, or at least clarified their statement. I really don’t like the choice of language in a lot of their statements. I feel like they’re trying really hard not to say you need a physical/OTA connection by using vague language. Even raising panic about the MAC change is funny given that’s already a command. ‘Supply chain attacks’ is also trying hard not to say local access to firmware in their statement update.
We would like to clarify that it is more appropriate to refer to the presence of proprietary HCI commands—which allow operations such as reading and modifying memory in the ESP32 controller—as a “hidden feature” rather than a “backdoor.”
The use of these commands could facilitate supply chain attacks, the concealment of backdoors in the chipset, or the execution of more sophisticated attacks. Over the coming weeks, we will publish further technical details on this matter.
I stumbled on this article, which originally described some undocumented ESP32 commands as “back door” commands. How bad is this for our community?
To quote the article, “The undocumented commands allow spoofing of trusted devices, unauthorized data access, pivoting to other devices on the network, and potentially establishing long-term persistence.”
This seems bad, but I’m just a caveman. Thank you for shedding light on the subject!
TLDR. It’s not really bad, and you’re not a caveman unless you admit to not using the search function before creating a new topic. That’s not you, right?
Well, the term backdoor doesn’t fit really from what is known so far, rather a front door problem. Meaning physical access is necessary to use this “undocumented api features”
Even the authors saying “hidden feature” would be the proper term…
03/09/2025 Update:
We would like to clarify that it is more appropriate to refer to the presence of proprietary HCI commands—which allow operations such as reading and modifying memory in the ESP32 controller—as a “hidden feature” rather than a “backdoor.”
No Remote Access: They cannot be triggered by Bluetooth, radio signals, or over the Internet, meaning they do not pose a risk of remote compromise of ESP32 devices. Security Impact: While these debug commands exist, they cannot, by themselves, pose a security risk to ESP32 chips. Espressif will still provide a software fix to remove these undocumented commands. Scope: If ESP32 is used in a standalone application and not connected to a host chip that runs a BLE host, the aforementioned HCI commands are not exposed and there is no security threat.
Along with some other notes about which devices are affected, their bug bounty program, their continued commitment etc. that you can read at the link.
All these people freaking out about this, likely run all their IoT devices, ha, and a host of other non-secure things on a non-segmented vlan with access to everything. They may even have many devices that are cloud controlled such as Tuya. They’re the same ones that use dyndns & port forwarding as a means to obtaining remote access. They use the same passwords everywhere becuase they can’t be bothered to remember all those different ones.
Regardless of all that, the likelyhood of someone spending the time to hack your fridge magnet dohicky whatcha-ma-call-it is highly unlikely. Even the deadbeat neighbor kid still living in the parents basement at 31 with no job, that sits and plays on-lines games 24/7, has better things to do.
Regardless of what the news tells you the bad guys couldn’t care less if you LED blinks red, blue, or green and unless you’re a top ranking offiical they’re not gonna waste the time on your fancy humdity sensor.
Just my $0.02 and i owe the bank at least half of that.
