[xondono]

Well, that depends on what you count as a backdoor, but Espressif has had some questionable flaws:

- Early (ESP8622) MCUs had weak security, implementation flaws, and a host of issues that meant an attacker could hijack and maintain control of devices via OTA updates.

- Their chosen way to implement these systems makes them more vulnerable. They explicitly reduce hardware footprint by moving functionality from hardware to software.

- More recently there was some controversy about hidden commands in the BT chain, which were claimed to be debug functionality. Even if you take them at their word, that speaks volumes about their practices and procedures.

That’s the main problem with these kinds of backdoors, you can never really prove they exist because there’s reasonable alternative explanations since bugs do happen.

What I can tell you is that every single company I’ve worked which took security seriously (medical implants, critical safety industry) not only banned their use on our designs, they banned the presence of ESP32 based devices on our networks.

[khalic]

You can hide malicious intent, so the repeated negligence patterns you’re pointing out make a better signal. Smart. Thx for the perspective

[albuic]

Obviously... They are not made for safety critical systems. It's for hobbyists.

[anymouse123456]

These parts are in a massive number of retail smart switches 3d printers and iOT devices.

They are definitely beyond a hobby device.

They're made well, designed well and the libraries are some of the best in class.

My concern is purely on risk.

What would any responsible state security agency spend to have devices behind every single firewall of an adversary?

[elevation]

Except if you penetrate the market with modules that cost 5% of similar US made solutions, you start to win mindshare. At least some of those hobbyists start making a product, and sometimes the determination of whether a product is "safety critical" isn't agreed upon until after it's failed catastrophically.