Proof of Concept of ESP 32 / 8266 Wi-Fi vulnerabilties (CVE – 2019 – 12586, CVE – 2019 – 12587, CVE – 2019 – 12588)
This repository is to demonstrate 3 Wi-Fi attacks against the popular ESP 32 / 8266 IoT devices:
- Zero PMK Installation (CVE – 2019 – 12587)– Hijacking ESP 32 / ESP 8266 clients connected to enterprise networks;
- (ESP) / ESP 8266 EAP client crash (CVE – 2019 – 12586)– Crashing ESP devices connected to enterprise networks;
- (ESP) Beacon Frame Crash (CVE – 2019 – 12588)– Crashing ESP (Wi-Fi devices.)
Follow the links on each vulnerability for more details and Espressif’s patches.
This vulnerabilities were found in SDKs of ESP 32 and ESP 8266. Their version were ESP-IDF v4.0-dev – 459 – G7A 31 cb7 and NONOS-SDK v3.0 – 103 – G7A 31 cb7 respectivelly at the time of the vulnerabilities discovery.
While a custom version of hostapd is provided to test the first 2 vulnerabilities, for the last one, an ESP (is used to inject fake) . 11 beacon frames in order to crash others of its own (no pun intended!).
PoC Building and running instructions
Running pre compiled binary
If you are running debian or ubuntu you can execute the already compiled hostapd in the folderhostapd-2.8_binary
. Just runhostapd-2.8_binary / run_hostapd_exploit.sh
to start the access point to test the vulnerability orhostapd-2.8_binary / run_hostapd_normal.sh
to start without this test. Be advised that you need to stop network services withservice network-manager stop
for your Wi-Fi interface to be free.
TLDR:
service network-manager stop ./run_zero_pmk_EAP.sh#to test against CVE- 2019 - 12587 (remember to restart ESP first)./run_crash_esp_EAP.sh#to test against CVE- 2019 - 12586
Running from source
If for some reason the binary doesn’t work with your system, you can compile the projecthostapd-2.8_source
by running the script./ buid.sh
. The script installs the following dependencies before running the tool:build-essential pkg -config git libnl-genl-3-dev libssl-dev libnl-route-3-dev
.
After the build is successful, you can run the script./ run_hostapd_exploit.sh
to start the access point to test the vulnerability or./ run_hostapd_normal.sh
to start without the test.
TLDR:
./ build ./run_zero_pmk_EAP.sh#to test against CVE- 2019 - 12587 (remember to restart ESP first)./run_crash_esp_EAP.sh#to test against CVE- 2019 - 12586
Testing CVE – 2019 – 12588
In order to compile the code for esp 8266 in folderbeacon_frame_crasher, it’s necessary to follow the steps in (ESP) Deauther. This is a modified version of the board support package for ESP 8266 that allows the injection of raw 802. 11 frames. A binary is also provided for a quick test inbeacon_frame_crasher / ESP 8266 Crasher.ino.d1_mini.bin
in case you have a spare wemos d1 mini board. Note that this code is hardcoded to crash an ESP 8266 configured for an access point with a ssid=TEST_KRA.
As soon as the “beacon frame crasher” device starts, the other ESP 8266 devices connected to an access point should restart intermittently.
PoC Output
If your ESP device SDK is vulnerable toCVE – 2019 – 12587, you should receive an output like this from hostapd:
If your ESP device SDK is vulnerable toCVE – 2019 – 12586, you should receive an output like this from hostapd:
In this case, as the device is restarting every time it attempts a connection with hostapd, you should receive a lot of logs indicating re-connection. If you’re monitoring the device serial port, you can also receive trace logs.
Configuring
No need to configure. By default the PoC access point have the following default configuration:
- ssid=TEST_KRA
- channel=9
- bssid=28: C6: 3F: A8: AF: C5
- interface=wlan1mon
- server_cert=wpa2_server.pem private_key=wpa2_server.key
- user=matheus_garbelini
- user_password=testtest
- EAP method=PEAP
To change this options, change the filehostapd.conf
in the root folder of hostapd (hostapd-2.8_binary / hostapd.conf (or
hostapd-2.8_source / hostapd / hostapd.conf
).Please change the interface parameter to match your Wi-Fi NIC, it's advised to leave other parameters as the default if you wish to test the ESP 32 / 8266 client test codes. Correct certificates are also included (same from ESP-IDF repository), so no need to change them in hostapd folder.
If you wish to change EAP methods or username credentials, just changehostapd.eap_user
GIPHY App Key not set. Please check settings