• Home
  • Archive
  • Tools
  • Contact Us

The Customize Windows

Technology Journal

  • Cloud Computing
  • Computer
  • Digital Photography
  • Windows 7
  • Archive
  • Cloud Computing
  • Virtualization
  • Computer and Internet
  • Digital Photography
  • Android
  • Sysadmin
  • Electronics
  • Big Data
  • Virtualization
  • Downloads
  • Web Development
  • Apple
  • Android
Advertisement
You are here: Home » Explanation of the ESP32 Vulnerability Warnings

By Abhishek Ghosh December 6, 2019 6:10 am Updated on December 6, 2019

Explanation of the ESP32 Vulnerability Warnings

Advertisement

The ESP32 we commonly use in electronics development as an upgrade to the official Arduino boards was discovered in September to have four different WiFi vulnerabilities for the whole ESP SoC family (not exclusively ESP32). Espressif has already patched around most of the vulnerabilities. It is practical to know minimum details of the exploits at least to upgrade the firmware to the latest version.

The first flaw only affects ESP8266s. Its official name is ESP8266 Beacon Frame Crash (CVE-2019-12588) :

Vim
1
2
3
#
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12588
#

It may invite denial of service (crash). The access point sends the ESP8266 a field which contains the number of authentication methods. A malicious access point can send a large number resulting overflowing a buffer! It is funny to know or test but not funny if your beacon is made funny by someone else.

Advertisement

---

The other two vulnerabilities exploit bugs in the ESP libraries which handle the extensible authentication protocol (EAP). The hacks may invite a higher-security EAP-enabled network to crash and the hijacking of the encrypted session.

Vim
1
2
3
4
#
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12586
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12587
#

Explanation of the ESP32 Vulnerability Warnings

 

The ESP32 Forever-Hack

 

An attacker who takes the route of fault injection to disrupt the ESP32 CPU may bypass the Secure Boot digest verification at startup. The fault injection technique disrupts the behaviour of a given by injecting faults via physical access. That can be timed voltage or clock fluctuations. As fault injection demands the attacker to have physical access to the hardware, it can be controlled by other engineering methods.

In this exploit, the device will boot unverified code from flash. If the ESP32 is configured without Flash Encryption then fault injection will allow the arbitrary code execution. This attack does not disable the Flash Encryption feature. So if the ESP32 is configured with Secure Boot and Flash Encryption then the impact will be minimized.

Vim
1
2
3
4
5
#
https://nvd.nist.gov/vuln/detail/CVE-2019-17391
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15894
https://www.espressif.com/en/news/Espressif_Security_Advisory_Concerning_Fault_Injection_and_Secure_Boot
#

 

Conclusion

 

Persons and the organizations who rely on ESP32 should consider a firmware update that checks eFuses. It is recommended to read the security advice from Espressif.

Tagged With esp32 hijacking of the encrypted session , ESP32 IoT Devices Vulnerable to Forever-Hack , esp32 security vulnerabilities , esp32 vulnerability , espressif firmware vulnerabilities

This Article Has Been Shared 249 Times!

Facebook Twitter Pinterest
Abhishek Ghosh

About Abhishek Ghosh

Abhishek Ghosh is a Businessman, Orthopaedic Surgeon, Author and Blogger. You can keep touch with him on Twitter - @AbhishekCTRL.

Here’s what we’ve got for you which might like :

Articles Related to Explanation of the ESP32 Vulnerability Warnings

  • Send Basic Push Message from Arduino ESP32 using Blynk

    How to Send Basic Push Message from Arduino ESP32 using Blynk? With Blynk like web service & library, it is easy to create such basic project.

  • How to Invert Signal for Arduino (HIGH to LOW or the Reverse)

    Such need is common when then need interfacing for IoT with household gadgets. Here is How to Invert Signal for Arduino (HIGH to LOW or the Reverse).

  • CircuitPython vs C/C++ vs Lua for the Microcontrollers

    Which Programming Language Better for the Microcontrollers to Invest Time? Here is CircuitPython vs C/C++ vs Lua Comparison for the Microcontrollers.

  • ESP32 Deep Sleep : Push Button Message to IBM Watson IoT

    ESP32 Deep Sleep With Push Button Message to IBM Watson IoT is an Basic Project Which Will Help Like Template to Create More Complex Projects.

  • Control Multiple AC Appliances With One ESP32 Arduino

    Here is how to use ESP32 and IBM Watson IoT to control multiple relays (i.e. multiple AC appliances) by pushbutton and over the internet.

Additionally, performing a search on this website can help you. Also, we have YouTube Videos.

Take The Conversation Further ...

We'd love to know your thoughts on this article.
Meet the Author over on Twitter to join the conversation right now!

If you want to Advertise on our Article or want a Sponsored Article, you are invited to Contact us.

Contact Us

Subscribe To Our Free Newsletter

You can subscribe to our Free Once a Day, Regular Newsletter by clicking the subscribe button below.

Click To Subscribe

Please Confirm the Subscription When Approval Email Will Arrive in Your Email Inbox as Second Step.

Search this website…

 

Popular Articles

Our Homepage is best place to find popular articles!

Here Are Some Good to Read Articles :

  • Cloud Computing Service Models
  • What is Cloud Computing?
  • Cloud Computing and Social Networks in Mobile Space
  • ARM Processor Architecture
  • What Camera Mode to Choose
  • Indispensable MySQL queries for custom fields in WordPress
  • Windows 7 Speech Recognition Scripting Related Tutorials

Social Networks

  • Pinterest (20K Followers)
  • Twitter (4.9k Followers)
  • Facebook (5.8k Followers)
  • LinkedIn (3.7k Followers)
  • YouTube (1.2k Followers)
  • GitHub (Repository)
  • GitHub (Gists)
Looking to publish sponsored article on our website?

Contact us

Recent Posts

  • What is Domain-Driven Design (DDD)? January 23, 2021
  • Top 10 Anti Hacking Software for Microsoft Windows January 22, 2021
  • What is Software Modernization? January 21, 2021
  • Cloud Computing : Cybersecurity Tips for Small Business Owners January 20, 2021
  • Arduino : Independently Blink Multiple LED January 18, 2021

 

About This Article

Cite this article as: Abhishek Ghosh, "Explanation of the ESP32 Vulnerability Warnings," in The Customize Windows, December 6, 2019, January 23, 2021, https://thecustomizewindows.com/2019/12/explanation-of-the-esp32-vulnerability-warnings/.

Source:The Customize Windows, JiMA.in

 

This website uses cookies. If you do not want to allow us to use cookies and/or non-personalized Ads, kindly clear browser cookies after closing this webpage.

Read Cookie Policy.

PC users can consult Corrine Chorney for Security.

Want to know more about us? Read Notability and Mentions & Our Setup.

Copyright © 2021 - The Customize Windows | dESIGNed by The Customize Windows

Copyright  · Privacy Policy  · Advertising Policy  · Terms of Service  · Refund Policy