Comment by AlotOfReading

HCI commands aren't remotely accessible without further flaws. The key line from the article is:

    Depending on how Bluetooth stacks handle HCI commands on the device, remote exploitation of the backdoor might be possible via malicious firmware or rogue Bluetooth connections.

The short answer is that if you have a secure driver stack and you trust all the local code, HCI vendor extensions aren't problematic.

With that said, HCI extensions can easily be a security hole. The problem is that HCI mixes attacker-controlled inputs with a complicated interface and a lot of fiddly parsing. It's easy to get wrong, as the BleedingTooth [0] vulnerability demonstrated a few years back.

Having these kinds of things around also makes it easier to pivot a vulnerability elsewhere, though that's low hanging fruit on most systems.

[0] https://google.github.io/security-research/pocs/linux/bleedi...