Friday, 9 June 2017

ESP8266 Sniffers, Deauthers and Scanners

Using the ESP8266 for (IoT) security research and testing

Why would I want to break stuff?

I have a background in education, but have worked as a network administrator with a strong security focus for the last 20+ years. So from time to time I do half-day user security awareness trainings in the company I work for.
To spice things up around the middle of the training, I have a collection of IT-security parlor tricks that don't require a lot of preparation, like manipulated DNS in a router and bit of fun with BeEF on Kali Linux.
I had used the ESP8266 in presentations a few times with some novelty projects like the Pong Clock. Never for nefarious purposes. Time to have a closer look.

What is it all about?

The ESP8266, like quite a few other WiFi chips (Atheros 9271 being one of the most notorious examples), has both the ability to send "manually" crafted packets, and to enter "monitor", or (not quite correctly in this context) "promiscuous"mode to receive data not specifically directed to the module.

Sounds pretty interesting, huh? - BUT:
  • The "wifi_send_pkt_freedom()" function was sadly removed from Espressif's SDK when upgrading from 1.3.0 to 1.4.0
  • The promiscuous mode only captures only 112 Bytes per packet. (128 Bytes, of which 16 are metainfo)
The good thing is that Kieran Simkin has put the original SDK 1.3.0 files here on Github, so not all of the freedom is lost.

(Note: The April 6th release notes for ESP-IDF 2.0 (ESP32 platform) mention "support for full packet-receive in sniffer mode" - Interestíng times ahead...)

What's out there? (In June 2017)

The IMHO most noteworthy examples:

Breadboarded deauther with OLED display

Why deauthenticate clients?

Being a royal pain in the ...uuh.. "behind" of other Wifi users, seems to be the main target of the majority of deauther-users. But the aforementioned monitor (or in this case: promiscuous) mode enables an attacker to capture the four-way handshake when the client re-connects to the access-point and get hold of the password hash.
If the password is short and/or weak enough to be brute forced or guessed from the hash, the attacker will get hold of the WPA preshared key (AKA Wifi password).
At the moment the limited promiscuous mode of the ESP8266 and/or it's SDK prevents this.
Not sure about the ESP32 yet, though.

Anything I can do about it?

Wifi equipment certified after July 2014 will support the 802.11w standard (defined some time around 2009) and will be immune to deauthentication attacks. A good reason to update your gear.