Source Link Privacy.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.
Update: The ESP32 “backdoor” that wasn’t.
I couldn’t find a list of devices. Anyone else find one?
That’s like saying “I want a list of all devices with ATmega328P.” Anyone can make a unique device with this chip as the processor, in fact I have. It’s a chip with an extremely low barrier of entry thanks to extensive documentation, lots of dev boards and libraries. Not as low as the 555 (lots of people’s first IC) but WAY lower than anything you’d traditionally consider a 32-bit CPU.
Anyway, even if you obtained the list magically, it would be of little use. To be clear: this is not an exploit. The chip just has more instructions than previously thought – instructions that you write into your program when building an ESP32 device. This can make some programs a little faster or smaller but you still need to flash them onto the microcontroller – using physical access, OTA (if you set it up in the existing FW) or some exploit (in someone’s OTA implementation, perhaps).
So your argument is what? We shouldn’t have a list because the chip is user friendly?
No. I’m saying you cannot have a complete list because the chip is user friendly. Look at all the “ESP32 project” results in the search engine of your choice if you want an incomplete list. Unlike say an Intel processor, you don’t need a contract with the manufacturer to make a device with the chip so not even Espressif has a list of commercial products that ship with their chip.
I will not stop you from building a list, I’d just not bother if I were you. There is no use of one resulting from this news. Suppose I told you “LOOK! This device’s firmware was compiled before they knew the program might be .1% more efficient with this instruction discovered in 2025!” – would that really change how you feel about the device? We live in an age of bloat; most software has way higher overhead that could be optimized away.
However, lots of people will fail to realize that, again, this is not an exploit so I’ll enjoy lower ESP32 prices for future home automation projects.
Dude, do I really need to pedantically qualify my question with “I would like a list of manufactured devices produced for sale with the chip already integrated, not hobbyist or ersatz devices in limited quantity? Nobody needs that, and a reasonable person would understand I’m not interested in what joe schmoe built in is garage.
C’mon, it’s like you’re looking for an argument. No shit we can’t have a list of every device based on your criteria, but we can reasonably expect to know what manufactured large-run devices do have it, and I think that’s a reasonable take on my question.
I agree that a list would be cool but I need to make sure that people know this is not a “WARNING! Avoid these bugged devices:” situation. Calling for a list increases unjustified panic. (Also, it looked like you didn’t understand the difficulties of listing all ESP32 products, which I was all too happy to be pedantic about.)
Am I oddly curious about the cheapest/most expensive/most popular retail ESP32 device? Yes.
Does this news increase/decrease the benefit of making such a list? No, it’s still way below the cost.
The article is talking about the Espressif ESP32 micro controller (has Wi-Fi/Classic Bluetooth/BLE).
I don’t know if the variants of this chip also have the same vulnerability (my guess is yes). As someone who works on this chip, I’m interested in more discourse on this matter.
Yeah, I caught the ESP32 part and tried to search for what devices these chips were built into, but couldn’t find one. I was curious how widespread the flaw was - as in, what consumer or infrastructure devices they might be in.
The Tasmota firmware documentation has a decent list, but it’s limited to devices that are known to be flash-able so you can install custom firmware on them. https://templates.blakadder.com/
Thanks, that’s a pretty short list - as you said it’s limited.
The homepage just has recently added devices. Use the menu to browse by device type.
Wow. Ok, some more brand name devices are starting to be named. Still mostly consumer IOT like bulbs and smart plugs. Thanks for the update. I can see one device we own.
If it affects all ESP32s, the list is infinitely longer
Oh those kind of devices. Its very popular for hobbyists and self-designed devices or cheap IoT products. Don’t know the market presence outside Asia but its quite popular in India due to its low cost.
I’d also like to hear more. I have at least a dozen of these in my house.