
ESP32/ESP8266 Wi-Fi Attacks - gioscarab
https://github.com/Matheus-Garbelini/esp32_esp8266_attacks
======
fra
First and foremost, this speaks to the ubiquity and hacker friendliness of
Espressif's chips. Most of their competitors (I'm looking at you, Broadcom),
prefer security through obscurity and make it extremely difficult to get
access to chips, let alone SDKs. I am certain that similar vulnerability exist
in every embedded WiFi chipset out there.

That being said, the status quo is completely untenable. Connectivity has
become the norm in the hardware space, and it is built on a shoddy software
foundation. Vendor SDKs are often best effort endeavors provided "as is" with
no thought given to security or reliability. The results are clear: "the S in
IOT stands for security" has become a trope, and connected cameras, locks,
washing machines, and many more are getting owned on a weekly basis.

This will change, and whoever cracks this nut will be very successful indeed.

~~~
gioscarab
Espressif have not released the sources of the WiFi implementation, just
binaries. I would define that as "security through obscurity".

~~~
joezydeco
"avoiding patent infringement lawsuits via opacity"

~~~
wysifnwyg
Has there been any successful patent infringement lawsuits over the last three
years that targets a Chinese company that has infringed upon a US company?
Isn't that part of the issue in the current trade deal talks with China?

~~~
CDSlice
Not a US company being infringed, but Lego has gotten a Chinese court to order
Lepin to stop making imitations of Lego products. [1] Since arrests have been
made over Lepin not complying [2], it seems like the ruling has teeth.

[1] [https://www.brothers-brick.com/2018/11/05/lepin-ordered-
to-s...](https://www.brothers-brick.com/2018/11/05/lepin-ordered-to-stop-
making-and-selling-lego-imitation-products-by-chinese-court-news/)

[2] [https://www.brothers-brick.com/2019/04/28/arrests-made-in-
le...](https://www.brothers-brick.com/2019/04/28/arrests-made-in-lepin-raid-
over-the-continued-manufacture-of-counterfeit-lego-products-news/)

~~~
monocasa
Doesn't look like they've actually stopped.

[https://lepinworld.com/](https://lepinworld.com/)

------
Etheryte
For those unfamiliar with the topic, these two chips are by and far the most
common wifi chips for DIY and are also very common in IoT devices. Due to
cheap price ($2—$5 depending on the model) and very low barrier to entry
technically, these devices are both very popular as well as very wide spread
in those two categories.

These chips are the first hits for searches such as "Arduino wifi module",
"breadboard wifi", "IoT wifi module", and many, many more as they're the
downright easiest way to add wifi to something that doesn't have it out of the
box.

I'm not sure how applicable these attack vectors are in the real world, but
they affect a very large number of devices for sure.

~~~
Klathmon
They are also really capable processors on their own with some nice I/O, and
they can be integrated to be really low power so things can run on battery
power for months to years.

~~~
fyfy18
Can they really last that long (on their own)? I looked into this when the
ESP8266 first became popular maybe 4 years ago as I wanted to build WiFi
temperature and humidity sensors. My calculations were that a set of AAA
rechargable batteries (~2000mAh) would last a few days at most, with the
device in deep sleep most of the time and waking up every 10 mins to take a
reading and send it over WiFi.

Right now I'm looking to create smart blinds. The motors don't use that much
power, but the issue is the MCU listening for commands. The ESP32 support BLE,
but it's power consumption is still rather high, so batteries would only last
a few days at most.

~~~
zaarn
Personal experience: I have a ESP32 that runs as a sort of weather station. It
has a ~2000mAh battery and lasts almost 2 months, getting a data point once
every 30 minutes. That is using the ESPHome to program it.

Even at once every 10 minutes, it should manage almost 3 weeks without
requiring a recharge.

Some options that definitely help is to quicken the Wifi reconnect. ESPHome
has options to disable AP scanning and doing a fast-and-dirty connect&send.
Using MQTT also helped a lot compared to using HTTP.

The most important part is to reduce the on-time as much as possible. 30
seconds is still way above the lower limit that I can do. If you halve it you
can double the amount of data points without additional energy by reducing the
sleep time.

I'm working on replacing the battery with a solar panel and supercap to power
it from ambient shadow light entirely, the numbers to agree that it is
possible in my case. Would help to keep it alive in cold weather.

~~~
fyfy18
Ah ha, that's good to know! Yeah in my case I had a small solar panel (a few
quid of eBay, I guess around 1W) which was able to power it through a British
winter (it did get direct sunlight though). I had some rechargable AAA
batteries and just wired the solar panel in parallel with them.

After a few months it stopped working, I think some moisture got in and the
DHT11 failed.

------
Klathmon
Well that sucks. I have probably 20 esp8266 chips around the house doing
various things (when you can get an MCU for like $2, you find a lot more
uses!), but I don't think any of them really need to worry about this aside
from the DoS attacks taking them offline. I'll need to maybe look into some
alerts when they start going offline, but not much.

I'm not familiar with the Enterprise WPA2 stuff. Is it widely used in high
security environments or "enterprise" areas? and is the ability to gain
control over a device on those networks a big deal?

Enterprise WPA2 always seemed crazy complex, and the fact that many devices
can't even seem to do WPA2 Personal completely correctly, I never had a good
feeling about the Enterprise stuff.

~~~
gioscarab
Reading carefully the documents presented by the author Enterprise mode seems
to be even less secure than the normal WiFi mode. Quite ironic I agree.

~~~
sschueller
That's like E-TLS. The enterprise version of TLS.

~~~
philsnow
It feels somewhat irresponsible to not have some scare quotes or a disclaimer
or something in there. There's probably some people who are just learning
about "enterprise TLS" who don't know that it's hobbled:
[https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-
you-s...](https://www.eff.org/deeplinks/2019/02/ets-isnt-tls-and-you-shouldnt-
use-it)

------
acidburnNSA
This appears to be the relevant thread on the Arduino ESP8266 page:
[https://github.com/esp8266/Arduino/issues/6016](https://github.com/esp8266/Arduino/issues/6016)

Looks like it was closed due to "lack of info". I wonder if that caused some
bad blood?

~~~
codebje
Looks like it was a question about where to report it, followed by a handful
of suggestions and _then_ the close. I don't see any reason for bad blood from
that, especially since there was a bit of follow-on discussion and by the look
of it, a fix was released a couple of weeks back.

~~~
acidburnNSA
Yeah, on second read I agree with you. I'm just wondering why the public PoC
disclosure before that team had more chance to fix. The arduino-esp8266 folks
are super popular in the ESP community.

By my read, the fix is still open in that repo, tracked by the follow-up
issue:
[https://github.com/esp8266/Arduino/issues/6436](https://github.com/esp8266/Arduino/issues/6436)

~~~
mcbits
These discussions go back well beyond 90 days, which is more than enough time
to wait for public disclosure.

------
Havoc
Honestly most of the IOT consumer tech infrastructure does security via the
"please don't look at me" approach.

Still don't know exactly why my home assistant can discover & control my wifi
bulbs...never provided passwords or anything.

~~~
ryacko
Oh, you must use an Amazon product, they sync wifi passwords across all your
devices.

~~~
867-5309
it's more likely the bulbs are on the LAN and therefore discoverable by a
known port or API

~~~
Havoc
Yeah think homeassistant guesses default pass

------
mpettitt
The fake beacon frame issue is the key one here - relatively few people are
using Enterprise WPA2, but ESP8266 (or compatible - such as the Tuya TYWE3S)
chips are in all kinds of random low cost IoT devices. I've got some smart
plugs which use them, as well as a few of the dev boards connected up to
various sensors, so looks like will have some patching to do...

~~~
tialaramex
I suppose "relatively few people" is true if you define people the way it
would have been understood a century ago. Corporate and institutional systems
will almost invariably do WPA2 Enterprise.

Without Enterprise, there's just one magic shared key "password" known to
every user of the network.

The Enterprise mode outsources authentication of participants to a separate
service using EAP and nearly always ends up leveraging TLS to actually make
this secure one way or another.

This enables, for example, EduROAM in which academics and students use their
"home" institution credentials to get network access in any participating
educational network.

~~~
mpettitt
I was talking in terms of IoT devices using these chips - more of them are
likely to be on home networks, using WPA2 Personal than in offices using the
enterprise version. For offices, wired smart devices or higher end wireless
devices are more common, which tend to use custom silicon, rather than COTS
modules like the ESP ones. Hue bulbs, for example, don't use ESP derived chips
(if only because they need Zigbee rather than WiFi), and not does Lutron kit
(z-wave), although Lifx bulbs do.

~~~
tidepod12
Home automation on personal networks is certainly a large use case for these
devices, but I think you underestimate the number of ESP8266/32 devices that
are used in enterprise environments. The Industrial IoT space is pretty big,
using small wifi chips like the ESPs for stuff like factory data collection or
data center monitoring. I also have personally seen them used in medical
device environments and security systems (think wireless door sensors and the
like).

The "big boys" probably use custom made silicon (but even then I've seen
custom-made silicon with an ESP8266 mounted onto it to abstract out the wifi
connection part), but I wouldn't be surprised if the majority of IIoT startups
use the ESPs as part of their products.

------
microcolonel
Yeah, I've caused some of these crashes. The IDF needs a lot of work when it
comes to some of the stacks.

I've been trying to bring the Bluetooth stack (which shares a common ancestor
with the Android one) closer to the current Android Bluetooth stack, since
that's well maintained (ish) and I'm extending it.

~~~
rohansingh
Have you seen that the latest ESP-IDF includes Apache's NimBLE stack? I'm
hoping that improves things a bit.

~~~
microcolonel
Maybe, I'll have to look into that. My application is an A2DP enhancement, and
I think it would be at least a bit of work to implement an A2DP service in
NimBLE; very cool nonetheless, thanks for bringing it up!

------
keymone
ESP8266 is a low-cost Wi-Fi microchip with full TCP/IP stack and
microcontroller capability produced by Shanghai-based Chinese manufacturer,
Espressif Systems.

ESP32 is a series of low cost, low power system on a chip microcontrollers
with integrated Wi-Fi and dual-mode Bluetooth.

some kind of IoT chips? can't tell what the real world impact of this is.

edit: whoa, thanks for context folks! i'm surprised this wasn't obvious from
wiki pages.

~~~
acidburnNSA
These are really nice $5 chips with Wifi programmable with the Arduino
toolset. Tons of IoT people use these to integrate various instrumentation and
control into their houses or science projects. For instance, you can hook one
up to a temperature sensor and a relay and control your heater. There are
probably millions of these installed, hooked up to important hardware. So this
makes wardriving fun again, I guess, if not destructive.

~~~
gerdesj
Just to give you some idea of how easy these are to use: In 20 mins with a
small breadboard, a few Dupont wires, a Nodemcu ESP8266, a DHT22 with a pull
up resister I've got a desk temperature sensor.

Add: [https://esphome.io/](https://esphome.io/)

... and it talks MQTT and connects straight into Home Assistant.

~~~
exhilaration
No soldering needed?

~~~
gerdesj
Yes, no soldering. Here's an example of the sort of thing that is sat on my
desk:

[https://lastminuteengineers.com/esp8266-dht11-dht22-web-
serv...](https://lastminuteengineers.com/esp8266-dht11-dht22-web-server-
tutorial/)

If a NodeMCU board is too big for you then an ESP 01S is smaller and even
cheaper. Less I/O options though but very useful. Needs a writer and wires to
program. You can get one with a relay that is capable of switching 16A.

[https://frenck.dev/diy-smart-doorbell-for-
just-2-dollar/](https://frenck.dev/diy-smart-doorbell-for-just-2-dollar/) \-
here's an example of a project. $2 is a bit ambitious I spend £7 for two of
them on Amazon. That's two ESP-01S and two relays!

I don't do Arduino. esphome is a lot easier for me. You use pip to get the
thing installed under your user account. Write a .yaml file which is largely
copy and paste from examples and then install it through a USB cable the first
time and then over the air after that.

~~~
exhilaration
Thank you, I've got software expertise but no hardware at all, I've been
looking for something like this.

~~~
gerdesj
The ESP 01S is particularly good once you get to grips with writing to them
because you can power them from any old phone charger that spits out 5V. You
simply cut off the plug, look for the wire with the white stripe on it to
determine polarity, strip the ends and screw into the relay block.

Be prepared to wave goodbye to your spare time and seriously consider a
separate VLAN/SSID for these things.

------
djsumdog
So is there any way to mitigate these vulnerabilities, or does it require
replacing the hardware?

~~~
mendesgeo
The silicon vendor Espressif has already patched the last firmware (SDK) of
such devices. However, other products that uses this chips with still have to
patch against it.

~~~
codebje
The beautiful part of IoT is how there's billions of devices out in the wild
with no upgrade plan.

The ESP chips are OTA capable with example code provided, but that still means
vendors have to incorporate the function, provide a way for the device to
check for updates, care enough to produce updates, and secure the upgrade
mechanism enough that it's not a worse vulnerability than an unpatched device.

------
amiga-workbench
Oh crud, all my lighting runs off these things. I wish more smart
controller/switches used powerline networking rather than WiFi.

~~~
iamtheworstdev
But then your neighbors house can become an attack vector for your house.

[https://m.youtube.com/watch?v=6rxu4NwnUqA](https://m.youtube.com/watch?v=6rxu4NwnUqA)

------
kyledrake
This is interesting for screwing up badges at Defcon, but I wouldn't lose too
much sleep over it. They're neat devices but not really used for anything
critical. I'm also not sure they're being used for a lot of consumer devices.
If you war drived a major hackerspace you might reset an led light art
project.

~~~
vena
They're a lot more ubiquitous than some burner's art projects. While I
wouldn't necessarily fret over a light switch crashing, expressif chips are
popping up in home security products like SimpliSafe. Likely safe in a home
from the WPA2 Enterprise hijack, simply crashing SimpliSafe base stations
might lead to fun times.

------
Tepix
I'd like to see a writeup how they discovered these weaknesses.

------
watsocd
It's fine to say we want everything as secure as possible. But what about the
tradeoff between a system being easy to connect/use and making it so difficult
to connect that hobbyist users can't get the device to work.

If you are doing mission critical or life-safety related work with $3 devices,
you are doing it wrong. Spend a little more and use something else.

In my case, I am monitoring room temperatures in my house with several ESP8266
devices so I want easy-to-connect features. I don't care about security in
this application.

~~~
ClumsyPilot
Actually I think it's easier to make cheap, mass produced device secure
because you have loads of eyes to check the code.

~~~
watsocd
I wasn't arguing against open source. I agree with you on that subject.

But there is a point where you make a device so secure that it can be very
difficult to connect with anything.

------
frenchie4111
Are there any open-source hardware/software ESP clones. Similar to what
Arduino did in the micro-controller space?

~~~
kesor
It would be really hard to "clone" a SOC. Since its not a board that you can
print for a buck these days, it actually requires a fab to print chips ...
which is not something that is common to open source yet.

~~~
frenchie4111
Oh I guess I didn't mean "clone" literally. Just an as-or-more-easy-to-use
WiFi SOC.

------
skataz
That's why I keep them in my network only

------
jrugk
The title of this submission made it sound like those are aeroplane models.

