In such a system, the ESP32 fully trusts the host. If an attacker maliciously gains control over the host system, they could potentially issue these debug commands to influence ESP32’s behavior. However, an attacker must first compromise the host device, making this a second-stage attack vector rather than a standalone vulnerability. Or, gain a physical access to the device to send the HCI commands over serial interface.
Does this even count as backdoor? Not really if you have to have access to the device in the first place.
It certainly opens up lost of “evil maid” attacks.
Does it? The quoted passage is also in reference to a less commonly used configuration, in which it is basically used as a communications coprocessor.
I’m all for embedded stuff having backdoors, it’s what makes it possible to use custom firmware on devices that have otherwise crappy vendor locked firmware.
