PachacutiMar 9, 2025
@haitchfive

RE: Alleged ESP32 so-called "backdoor"

The talk where a couple of researchers presented their findings in Madrid is about undocumented commands found in the ESP32. They presented themselves as civilians, but they also have a consultancy or work for a company called Tarlogic.

Nothing about the talk, and nothing about the Tarlogic article (that doubles as marketing material for their security product) says that they found anything about backdoors, or any malicious commands.
https://reg.rootedcon.com/cfp/schedule/talk/5

Tarlogic
https://www.tarlogic.com/news/backdoor-esp32-chip-infect-ot-devices/

They don't claim that there is a backdoor, they use many conditionals such as "would" and "could", and they say "maybe" but they didn't demonstrate any exploits.

They've shown that they found interesting undocumented functionality, and they are extrapolating that it could possibly be used somehow, but they don't really know if it's possible or not.

Slander in a teacup

It seems that Espressif built in some debugging functionality? Is that a horrible thing? They don't know, but they make sure to promote their own security product to protect you. How nice of them.

There's too many time-wasters with very specific ideologies creating chaos and confusion out there, it's good to identify them.

#esp32

RootedCON Registration and control panel

RootedCON registration area

@rootedcon
Mar 9, 2025 at 1:27amWeb
Show thread@haitchfiveMar 9, 2025

Tarlogic’s press release asserts that there is a backdoor in the ESP32 chip, but the headlines don't match the substance of the article. The article does not provide detailed technical evidence such as a live demonstration, specific conditions under which the vulnerability is triggered, or step-by-step instructions to reproduce the findings. The announcement primarily focuses on the potential risks and implications—likely as part of a broader strategy to promote their security tools—without delving into the granular technical details that would allow independent verification.

They use the term "backdoor", but I'm unsure that they understand what that word really means, or whether they understand the weight of such claims, which so far appear to be completely unsubstantiated.

I really hope they have something to show.

#esp32

Show thread@haitchfiveMar 9, 2025

Whilst it’s unfortunately relatively common to see limited details in early-stage vulnerability announcements of commercial labs, the lack of technical evidence in such a significant claim raises even more significant questions.

The expectation is that further detailed information should be released through more technical channels to allow for proper evaluation and remediation.

In lack of that, it's slander in a teacup.

#esp32

Show threadAdam Shostack  Mar 9, 2025
@haitchfive @theruran I thought they said they could write arbitrary memory?
Show thread@haitchfiveMar 9, 2025

@adamshostack @theruran

They say many things. Please refer to my post above.

Show threadOliver D. ReithmaierMar 9, 2025
@haitchfive I read it and thought "wow that's some out of scope stuff, seems like they were really desperate for a paper".
Show thread@haitchfiveMar 9, 2025

@odr_k4tana

I know, right? One massive nothingburger they could end world hunger with.

#esp32

Show threadOliver D. ReithmaierMar 9, 2025
@haitchfive strong "needs physical access to the device" vibes.
Show thread@haitchfiveMar 9, 2025

@odr_k4tana

I thought the same. But then, almost everything is in principle exploitable with physical access to device.

#esp32

Show threadOliver D. ReithmaierMar 9, 2025
@haitchfive that's why I find it so ridiculous
Show threadShineMar 9, 2025
@haitchfive If anything, the article on their page looks more like an advertisement of their own products and services than a description of backdoor.
Show thread@haitchfiveMar 9, 2025

@shine Yes, you're right, that's what makes it especially more problematic. Had they not included that, the profit motive would have been harder to blame them for.

Let's see if they publish something serious in the coming days. Up to this point they've only undermined their own credibility.

#esp32