Source Link Privacy.
Tarlogic Security has detected a backdoor in the ESP32, a microcontroller that enables WiFi and Bluetooth connection and is present in millions of mass-market IoT devices. Exploitation of this backdoor would allow hostile actors to conduct impersonation attacks and permanently infect sensitive devices such as mobile phones, computers, smart locks or medical equipment by bypassing code audit controls.
Update: The ESP32 “backdoor” that wasn’t.
It is not easy to determine how fixable this is. IIRC, the ESP32 has the wireless stack hidden from user space, and I am not sure if it is a blob included during link time, or if it is stored in a ROM of the chip. I do have the chips and the development enviroment in my studio, but (luckily) I decided to use a different chip for my project.
But I know there is a load of systems using either the ESP32 as their main processor, or as an auxiliary processor to add WiFi or BT capabilities, so this really is a big oh shit moment.