The ESP32 we commonly use in electronics development as an upgrade to the official Arduino boards was discovered in September to have four different WiFi vulnerabilities for the whole ESP SoC family (not exclusively ESP32). Espressif has already patched around most of the vulnerabilities. It is practical to know minimum details of the exploits at least to upgrade the firmware to the latest version.
The first flaw only affects ESP8266s. Its official name is ESP8266 Beacon Frame Crash (CVE-2019-12588) :
|
1 2 3 |
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12588 # |
It may invite denial of service (crash). The access point sends the ESP8266 a field which contains the number of authentication methods. A malicious access point can send a large number resulting overflowing a buffer! It is funny to know or test but not funny if your beacon is made funny by someone else.
The other two vulnerabilities exploit bugs in the ESP libraries which handle the extensible authentication protocol (EAP). The hacks may invite a higher-security EAP-enabled network to crash and the hijacking of the encrypted session.
|
1 2 3 4 |
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12587 # |
---
The ESP32 Forever-Hack
An attacker who takes the route of fault injection to disrupt the ESP32 CPU may bypass the Secure Boot digest verification at startup. The fault injection technique disrupts the behaviour of a given by injecting faults via physical access. That can be timed voltage or clock fluctuations. As fault injection demands the attacker to have physical access to the hardware, it can be controlled by other engineering methods.
In this exploit, the device will boot unverified code from flash. If the ESP32 is configured without Flash Encryption then fault injection will allow the arbitrary code execution. This attack does not disable the Flash Encryption feature. So if the ESP32 is configured with Secure Boot and Flash Encryption then the impact will be minimized.
|
1 2 3 4 5 |
# https://nvd.nist.gov/vuln/detail/CVE-2019-17391 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15894 https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot # |
Conclusion
Persons and the organizations who rely on ESP32 should consider a firmware update that checks eFuses. It is recommended to read the security advice from Espressif.
About Abhishek Ghosh
Here’s what we’ve got for you which might like :
Additionally, performing a search on this website can help you. Also, we have YouTube Videos.
Take The Conversation Further ...
We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!
If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.
Contact Us