Are They Vulnerabilities or Undocumented Debug Features

The recent undocumented code in the ESP32 microchip, made by Chinese manufacturer Espressif Systems, is used in over 1 billion devices and could represent a cybersecurity risk. Its reveal by security researchers has kicked off an interesting discussion regarding undocumented features in firmware devices - are they security vulnerabilities or just debug tools?

At the end of the day, any debug, test, or validation features should be removed (or fused off in the case of hardware) before they become available to customers. At the very least, features should be documented, so everyone knows the potential risk.

Otherwise, features become tools for threat actors who may use them separately or in combination with other tools to undermine the system, expose data, make lateral movements to other systems, or exfiltrate sensitive information.

This issue is widespread in the software, OS, firmware, and hardware industries, but that is no excuse, as these represent an aggregate risk. Every vendor should be responsible in removing debug, test, and validation features and at the very least documenting those which need to remain. Transparency is important for trust and security.