The ESP32 we commonly use in electronics development as an upgrade to the official Arduino boards was discovered in September to have four different WiFi vulnerabilities for the whole ESP SoC family (not exclusively ESP32). Espressif has already patched around most of the vulnerabilities. It is practical to know minimum details of the exploits at least to upgrade the firmware to the latest version.
The first flaw only affects ESP8266s. Its official name is ESP8266 Beacon Frame Crash (CVE-2019-12588) :
|
1 2 3 |
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12588 # |
It may invite denial of service (crash). The access point sends the ESP8266 a field which contains the number of authentication methods. A malicious access point can send a large number resulting overflowing a buffer! It is funny to know or test but not funny if your beacon is made funny by someone else.
---
The other two vulnerabilities exploit bugs in the ESP libraries which handle the extensible authentication protocol (EAP). The hacks may invite a higher-security EAP-enabled network to crash and the hijacking of the encrypted session.
|
1 2 3 4 |
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12586 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12587 # |
The ESP32 Forever-Hack
An attacker who takes the route of fault injection to disrupt the ESP32 CPU may bypass the Secure Boot digest verification at startup. The fault injection technique disrupts the behaviour of a given by injecting faults via physical access. That can be timed voltage or clock fluctuations. As fault injection demands the attacker to have physical access to the hardware, it can be controlled by other engineering methods.
In this exploit, the device will boot unverified code from flash. If the ESP32 is configured without Flash Encryption then fault injection will allow the arbitrary code execution. This attack does not disable the Flash Encryption feature. So if the ESP32 is configured with Secure Boot and Flash Encryption then the impact will be minimized.
|
1 2 3 4 5 |
# https://nvd.nist.gov/vuln/detail/CVE-2019-17391 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15894 https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot # |
Conclusion
Persons and the organizations who rely on ESP32 should consider a firmware update that checks eFuses. It is recommended to read the security advice from Espressif.
Tagged With esp32 hijacking of the encrypted session , ESP32 IoT Devices Vulnerable to Forever-Hack , esp32 security vulnerabilities , esp32 vulnerability , espressif firmware vulnerabilities