Using the ESP8266 for (IoT) security research and testing
Why would I want to break stuff?
I have a background in education, but have worked as a network administrator with a strong security focus for the last 20+ years. So from time to time I do half-day user security awareness trainings in the company I work for.
To spice things up around the middle of the training, I have a collection of IT-security parlor tricks that don't require a lot of preparation, like manipulated DNS in a router and bit of fun with BeEF on Kali Linux.
I had used the ESP8266 in presentations a few times with some novelty projects like the Pong Clock. Never for nefarious purposes. Time to have a closer look.
What is it all about?
The ESP8266, like quite a few other WiFi chips (Atheros 9271 being one of the most notorious examples), has both the ability to send "manually" crafted packets, and to enter "monitor", or (not quite correctly in this context) "promiscuous"mode to receive data not specifically directed to the module.
Sounds pretty interesting, huh? - BUT:
- The "wifi_send_pkt_freedom()" function was sadly removed from Espressif's SDK when upgrading from 1.3.0 to 1.4.0
- The promiscuous mode only captures only 112 Bytes per packet. (128 Bytes, of which 16 are metainfo)
The good thing is that Kieran Simkin has put the original SDK 1.3.0 files here on Github, so not all of the freedom is lost.
(Note: The April 6th release notes for ESP-IDF 2.0 (ESP32 platform) mention "support for full packet-receive in sniffer mode" - Interestíng times ahead...)
What's out there? (In June 2017)
The IMHO most noteworthy examples:
- https://git.schneefux.xyz/schneefux/jimmiejammer
Not only will this sketch for the Arduino IDE deauthenticate everything on 2.4GHz. It also floods the client's SSID-list with random entries. - https://github.com/RandDruid/esp8266-deauth
Does also deauthenticate everything within it's reach, but lets you whitelist individual devices. Great for a "works for me, there must be soething wrong with your device" scenarios. - https://github.com/spacehuhn/esp8266_deauther
This deauthenticator is all the rage these days, and that is well deserved: It's user-friendly interface makes it very noob-friendy, so it currently attracts a lot of irresponsible script-kiddies.
Breadboarded deauther with OLED display |
Why deauthenticate clients?
Being a royal pain in the ...uuh.. "behind" of other Wifi users, seems to be the main target of the majority of deauther-users. But the aforementioned monitor (or in this case: promiscuous) mode enables an attacker to capture the four-way handshake when the client re-connects to the access-point and get hold of the password hash.If the password is short and/or weak enough to be brute forced or guessed from the hash, the attacker will get hold of the WPA preshared key (AKA Wifi password).
At the moment the limited promiscuous mode of the ESP8266 and/or it's SDK prevents this.
Not sure about the ESP32 yet, though.