undefined

points

[-]

Well, that depends on what you count as a backdoor, but Espressif has had some questionable flaws:

- Early (ESP8622) MCUs had weak security, implementation flaws, and a host of issues that meant an attacker could hijack and maintain control of devices via OTA updates.

- Their chosen way to implement these systems makes them more vulnerable. They explicitly reduce hardware footprint by moving functionality from hardware to software.

- More recently there was some controversy about hidden commands in the BT chain, which were claimed to be debug functionality. Even if you take them at their word, that speaks volumes about their practices and procedures.

That’s the main problem with these kinds of backdoors, you can never really prove they exist because there’s reasonable alternative explanations since bugs do happen.

What I can tell you is that every single company I’ve worked which took security seriously (medical implants, critical safety industry) not only banned their use on our designs, they banned the presence of ESP32 based devices on our networks.

by khalic9 hours ago|

parent|

[-]

You can hide malicious intent, so the repeated negligence patterns you’re pointing out make a better signal. Smart. Thx for the perspective

by albuic4 hours ago|

parent|

prev|

[-]

Obviously... They are not made for safety critical systems. It's for hobbyists.

by elevation2 hours ago|

parent|

[-]

Except if you penetrate the market with modules that cost 5% of similar US made solutions, you start to win mindshare. At least some of those hobbyists start making a product, and sometimes the determination of whether a product is "safety critical" isn't agreed upon until after it's failed catastrophically.