Matheus-Garbelini / esp32_esp8266_attacks, Hacker News

Proof of Concept of ESP 32 / 8266 Wi-Fi vulnerabilties (CVE – 2019 – 12586, CVE – 2019 – 12587, CVE – 2019 – 12588)

This repository is to demonstrate 3 Wi-Fi attacks against the popular ESP 32 / 8266 IoT devices:

Zero PMK Installation (CVE – 2019 – 12587)– Hijacking ESP 32 / ESP 8266 clients connected to enterprise networks;
(ESP) / ESP 8266 EAP client crash (CVE – 2019 – 12586)– Crashing ESP devices connected to enterprise networks;
(ESP) Beacon Frame Crash (CVE – 2019 – 12588)– Crashing ESP (Wi-Fi devices.)

Follow the links on each vulnerability for more details and Espressif’s patches.

This vulnerabilities were found in SDKs of ESP 32 and ESP 8266. Their version were ESP-IDF v4.0-dev – 459 – G7A 31 cb7 and NONOS-SDK v3.0 – 103 – G7A 31 cb7 respectivelly at the time of the vulnerabilities discovery.

While a custom version of hostapd is provided to test the first 2 vulnerabilities, for the last one, an ESP (is used to inject fake) . 11 beacon frames in order to crash others of its own (no pun intended!).

PoC Building and running instructions

Running pre compiled binary

If you are running debian or ubuntu you can execute the already compiled hostapd in the folderhostapd-2.8_binary. Just runhostapd-2.8_binary / run_hostapd_exploit.shto start the access point to test the vulnerability orhostapd-2.8_binary / run_hostapd_normal.shto start without this test. Be advised that you need to stop network services withservice network-manager stopfor your Wi-Fi interface to be free.

TLDR:

service network-manager stop ./run_zero_pmk_EAP.sh#to test against CVE- 2019 - 12587 (remember to restart ESP first)./run_crash_esp_EAP.sh#to test against CVE- 2019 - 12586

Running from source

If for some reason the binary doesn’t work with your system, you can compile the projecthostapd-2.8_sourceby running the script./ buid.sh. The script installs the following dependencies before running the tool:build-essential pkg -config git libnl-genl-3-dev libssl-dev libnl-route-3-dev.

After the build is successful, you can run the script./ run_hostapd_exploit.shto start the access point to test the vulnerability or./ run_hostapd_normal.shto start without the test.

TLDR:

./ build ./run_zero_pmk_EAP.sh#to test against CVE- 2019 - 12587 (remember to restart ESP first)./run_crash_esp_EAP.sh#to test against CVE- 2019 - 12586

Testing CVE – 2019 – 12588

In order to compile the code for esp 8266 in folderbeacon_frame_crasher, it’s necessary to follow the steps in (ESP) Deauther. This is a modified version of the board support package for ESP 8266 that allows the injection of raw 802. 11 frames. A binary is also provided for a quick test inbeacon_frame_crasher / ESP 8266 Crasher.ino.d1_mini.binin case you have a spare wemos d1 mini board. Note that this code is hardcoded to crash an ESP 8266 configured for an access point with a ssid=TEST_KRA.

As soon as the “beacon frame crasher” device starts, the other ESP 8266 devices connected to an access point should restart intermittently.

PoC Output

If your ESP device SDK is vulnerable toCVE – 2019 – 12587, you should receive an output like this from hostapd:

If your ESP device SDK is vulnerable toCVE – 2019 – 12586, you should receive an output like this from hostapd:

In this case, as the device is restarting every time it attempts a connection with hostapd, you should receive a lot of logs indicating re-connection. If you’re monitoring the device serial port, you can also receive trace logs.

Configuring

No need to configure. By default the PoC access point have the following default configuration:

ssid=TEST_KRA
channel=9
bssid=28: C6: 3F: A8: AF: C5
interface=wlan1mon
server_cert=wpa2_server.pem private_key=wpa2_server.key
user=matheus_garbelini
user_password=testtest
EAP method=PEAP

To change this options, change the filehostapd.confin the root folder of hostapd (hostapd-2.8_binary / hostapd.conf (orhostapd-2.8_source / hostapd / hostapd.conf).Please change the interface parameter to match your Wi-Fi NIC, it's advised to leave other parameters as the default if you wish to test the ESP 32 / 8266 client test codes. Correct certificates are also included (same from ESP-IDF repository), so no need to change them in hostapd folder.


If you wish to change EAP methods or username credentials, just changehostapd.eap_user
(Attention)
Check if you your openssl library allows to use TLS version of 1.0. You can change this configuration normally in/ etc / ssl / openssl.cnf, Changing the last lines to:
[system_default_sect] MinProtocol=TLSv1.0 CipherString=DEFAULT @ SECLEVEL=1
Test client codes (optional)
The codes used for testing the vulnerable devices is in folder esp_client_test_codes. You need ESP-IDF and and ESP 8266 _ NONOS_SDK in order to compile both codes. Note that you should be using SDKs earlier than the ones mentioned