So basically this is a complete nothing-burger. ESP32 is no more vulnerable than any of the other billions of devices. More fake news.
aka marketing 
I haven't confirmed whether it's fake or not, but it's better than the information not being made public and being abused without people knowing.
As other people have pointed out, no one had heard of the company named Tarlogic before, and now some people have. Maybe that was the intention.
This is hypothetical as I donāt know the details here but you could have fuse locks and It depends on how the fuse works. If the fuse prevents external writing (e.g., via ISP, JTAG, or SWD) but allows the firmware itself to perform self-modification, then an OTA update attack or through UART could possibly work.
The hidden API commands were able to write in flash from what I understood.
Is that a big risk, no - but probably sufficient for them to consider a patch to make those API not accessible.
Hackaday quotes, if these VSCs in ESP32 chips are a security risk, then as [Xeno] duly notes, millions of BT controllers from Texas Instruments, Broadcom and others with similar VSCs would similarly be a security risk.
So what? I guess, by such logic, a million Elvis fans can't be wrong? Because there are a lot out there they can't be a risk because that would suck - so they're not. We can't be having an earthquake - I'm in the shower already.
Whether there's a problem or not, I'm an agnostic. I don't know.
Don't know if it is related but latest esp-idf update (from GitHub) has comments saying that this release has "bt debug functionality" turned off
1 Like
Seems related indeed