You are right about this. But if there was a way to identify vulnerable devices over the internet and turn them into a bot army, that may be attractive to someone. There was a (debunked, IIRC) report about a certain type of security cameras being systematically hacked and turned into a botnet a few years ago. So don’t treat these things too lightly.
But, again, none of this applies to this non-backdoor of course.
Like a botnet made of a million droids? 
Grandma couldn’t care less too 
Having read the report and Espressif response, there should be indeed some concern. Not for me or individuals using the device in most typical applications, but certainly for security concerned applications.
As espressif states, and being the hidden operations not accessible Over-the-Air, standalone applications, where the ESP device has the full app, should not be of any concern: if you have access to read, upload, or change the firmware, then there is no point in restricting access to these.
Also, in scenarios where the ESP is working as a comms slave, you still need physical access to the device to exploit this issue. But if you have physical access to the device, you already have access to its firmware and again there is no point in protecting from this… in most of the cases.
But, in security concerned applications, or where you might want to protect your firmware, i.e. to protect industrial property, the ESP has very useful capabilities for encrypting flash in such a way that it cannot be decoded out of the device.
If you are using flash encryption, accessing the device memory using these debug hidden commands, at least for slave applications, could be an issue, as this could be indeed a real backdoor.
This opens for me at least the concern on whether there might be other “hidden debugging commands” accessible via OTA that simply have not been undisclosed yet.
At some moment esspressif should have to provide clarity and somehow regain the lost confidence, as the words China and Backdoor have come together with this issue, and this is not something to just forget and let go as if it had not happened.
You can bet and the same is probably the case with your phone and computer 
Indeed. The only way to assuage this sort of fear of the technological unknown would be to become Ted Kaczynski v2.0
If you actually read Espressif’s response (and technical detail here) you would see that that it perfectly addressed the situation.
There is no “lost confidence” except by people who misunderstood what the original article revealed.
Well, I totally understood both the original article and Espressif response, and I do have lost confidence.
I agree they have always had the bug bounty as a proof of their commitment with security.
Also that they are now publishing the HCI commands and giving some possibility to block them in future firmwares, but these come only after the commands where discovered.
For me, the only real way to fight this sort of issues is open source (or better said omitting restrictive licensing models, publishing the source code, which is not the same).
I do understand anyway there must be quite a lot of industrial property there… so not easy for them, but security through obscurity is always a bad idea, and I have been always concerned of the ESPs being black boxes (at least the ROM part), as to find now undocumented HCI debugging commands allowing access to internal memory.
Again, for the use that most of us give to the devices, the concern should be near zero, but if I already had some concerns about using ESPs for security critical applications, I would now seriously reconsider using them for that.
True, but we are speaking now about the ESPs and the hidden HCI commands. If a backdoor (or suspected backdoor) had been discovered in Linux or iPhones, we would be discussing about that instead, if affecting our home automations.
Some years ago already, a bug / backdoor in Linux kernel was found allowing elevation of privileges under very specific circumstances because a contributor in kernel development just “misused” an assignment operator instead of a comparison (basically “=” vs “==”). This “minor typo” had catastrophic security implications, and was found because the code is public.
But there was always the doubt of whether this was intentional, so as I recall, all code submissions from this developer where either reviewed or rolled back, and he was mostly banned from further contributing.
Confidence is hard to gain, and easily lost.
One thing I just realised is that your entire post history is nothing but pearl-cluching about this topic and you happen to be the same nationality as the original fear mongering paper’s authors.
You wouldn’t happen to have a conflict of interest would you?
Antonio is that you, or is it Miguel?
I was not even aware these guys from Tarlogic are from Spain till you pointed it out.
And you are right, my account is brand new. I opened it as I just published (open source) some tools for home assistant, and about to publish a few more I have been using for years. I plan to open specific topics for those.
Just in the process I came to this thread, and felt concerned by the fact this is being dismissed generally (even by the paper authors) as not being a backdoor. Sorry, not so sure. Maybe not intentional by Espressif, but still an issue.
You call it “pearl-cluching”, but my concern is real. I believe in security by design and cannot tell I am maybe sometimes overconcerned.
Edit: removed personal identifiable information. No point in disclosing it just to answer to this.
BTW, I do not work in the IT industry, so no conflict of interest. Happy to provide more details in private if in doubt.
The fact remains, this is not a security flaw.
Arguably.
It is likely possible to retrieve wifi credentials from a HCI slave encrypted ESP device using these commands, which was not supposed to happen. A very specific use case, but a real one anyway.
If you do not like to call it a security flaw, that’s fine by me.
Not here to convince anybody, but I think I am as right to think, and reasonably explain, that even though this is not as bad as initially reported, it still may be more than now everybody wants to believe.
If someone has access to your hardware (router/clients/ethernet/esp) you have a security flaw. 
If you do a border crossing and handing in your notebook is required you have a security flaw. 
You might just demonstrate this with a POC? Eventually (if recognized) you might even qualify for a bug bounty 
For that you push it really really hard 
Yes, but if my laptop is encrypted, I expect losing it, but not for the robber to gain my wifi credentials and use them to connect to my network from other device. Same for the ESP if encrypted. If you still think this is not a security flaw, up to you.
Nothing to hide in my laptop for authorities, so no concern for me. Maybe in yours? 
Would not either ever think of bringing my laptop to countries where individual rights are not respected, anyway.
Not interested. Too much time and not my business.
Seriously considered it after the discussion (doing the PoC, not the bounty). Also if something came out of it, the bouny would go the the original discoverers, not me, so what the point in wasting more time?
The authors of the paper did a magnificient work discovering this, whatever you say. Their mistake, indeed is probaly disclosing it as a backdoor too quickly without a workable PoC to prove it is exploitable as such. But this does not demerit the rest of their work.
Well, I expected just to leave an educational comment clarifying that “Having read the report and Espressif response, there should be indeed some concern. Not for me or individuals using the device in most typical applications, but certainly for security concerned applications”
Of course, when it comes to answers like:
Sorry, out of place, disrespectful, and definetly not welcoming to a new user.
So yes, I answer to these, and you made me lose more time than expected. Not laughable at all, so please save the smiley to friendly conversations.
It’s actually somewhat amusing that you are riding very hard on a theoretical (not even proofed to be a real/serious) flaw that has 0 impact in the real world (yet and probably future) - despite - already publicly addressed by the manufacture. 
Devices based on espressif (beken and realtek ones) chips (like tuya) are very popular in the esphome/DIY communities because they are easy exploitable (often over the air) which makes it possible to own them completely and turn them in a local only device with the help of open source goodness 
On the other hand 
you probably find thousand of users in this forum which use real(!) vulnerable devices (like early z-wave series) which are actually attackable over the air! Another fact mostly no one cares about is using something deprecated WPA/WPA2 (TKIP) wifi encryption in their routers/AP which - again can be exploited today over the air! Nothing theoretical, but actual real exploitable vulnerabilities 
All true, and not arguable.
Which does not change the disrespectful tone of your answers.
And which does not change the fact that on an ESP forum discussion, I was answering to an ESP related topic. Not Tuya, now ZWave, but ESP.
Because it is ESP devices the ones I use as a hobbyst. Not Tuya, not ZWave, but ESP.
And yet you chose to be disrespectful, not welcoming, and trying to bring the discussion to “other devices are worse, why are we discussing of ESP”?
So your statement is clear: as other devices are vulnerable, why are we discussing then about a discovered, maybe potential, flaw on the ESPs, on a ESP forum?
Let’s just then close this forum.
Maybe is it you who have a conflict of interest?
Actually this here is the official ESPHome Forum - if you every heard of it
Well, ESPHome supports a wide range of MCUs and it might be shocking for you but (despite the name) it is not limited to ESP’s!
Also the people using “freed” tuya devices (as an example) are in the right spot posting in this very forum 
Doing a quick search in the esphome device database reveals 185 tuya results (this very second - your mileage may vary!) 
BTW the official ESP(32) from espressif can be found here 
It might be a better place for your “insights”
This is such a non-issue I’m surprised Steve Gibson hasn’t jumped all over it like he did with raw sockets.
Shame on respectable publications for creating these click bait articles.
Its all about the clicks! 
Also the source tarlogic to blame which are not only a company with commercial interest (and no independent researchers) but also started the whole show with the buzzword backdoor despite (only) they found some undocumented api commands that can only be utilized locally 
At least they updated this on their own site…
One thing for sure, people will continue to call it a backdoor as this is much cooler 
When I first saw the exploit the use of “backdoor” also bothered me, since I typically use it in cases where it’s deliberate, but Wikipedia covers various meanings. I do feel it’s still creating unnecessary FUD though, because the term is politicised.
We could even say we use ESP’s because they have a backdoor which allows us to connect a serial adapter and alter the bits present by replacing it with some espHome goodness gaining full ownership and local control on the way
