Underclocking The ESP8266 Leads To WiFi Weirdness

Sometimes the best hacks come from the most basic of questions. In this case, [CNLohr] was wondering what would happen if he started to reduce the clock speed of the ESP8266’s Baseband PLL (BBPLL) while still trying to communicate with it. You know, as one does. The results ended up being fairly surprising, and while it’s not immediately clear if there’s a practical application for this particular trick, it’s certainly worth some additional research.

Code for stepping through clock speeds

The idea here is that the BBPLL is the reference clock for the entire system, including all of the peripherals. So underclocking it doesn’t just slow down code execution as you might expect, but it also slows down the chip’s interactions with the outside world. [CNLohr] demonstrates this concept in the video below, showing how the baud rate used to view the serial output from the ESP8266 needs to be adjusted to match the chip’s frequency or else you’ll only get garbage on the line.

But what happens to the WiFi? As [CNLohr] discovered, while the center frequency itself doesn’t change, the channel width gets narrower as the clock rate is lowered. When viewed on the waterfall display of a software defined radio (SDR), the transmission can be seen “compressing” in a step pattern as the clock rate is reduced. As one might expect, the 802.11 packets become indecipherable to a normal WiFi device running in monitor mode. The signal is still at the correct frequency, but the devices can no longer understand each other.

Now it was time for another of those basic questions. What would happen if you did the same thing to a second ESP8266? Much to his surprise, [CNLohr] discovered that the two devices could still communicate successfully as long as their BBPLL clock speed was the same. From an outsider’s perspective it looked like gibberish, but to the two ESPs which had been slowed by the same amount, everything worked as expected even though the 802.11 standards say it shouldn’t.

So what can you do with this? The most obvious application is a “stealth” WiFi connection between ESP8266s which wouldn’t show up to normal devices, a communications channel invisible to all but the most astute eavesdropper. [CNLohr] has made all the source code to pull this trick off public on GitHub, and it should be interesting to see what kind of applications (if any) hackers find for this standards-breaking behavior.

If your thing is devices being forced into operations they were never intended to by particularly twisted hackers, check out our recent coverage of the USB serial adapter turned SDR by [Ted Yapo].

Continue reading “Underclocking The ESP8266 Leads To WiFi Weirdness”

Oh Great, WPA2 Is Broken

WPA2, the standard security for Wi-Fi networks these days, has been cracked due to a flaw in the protocol. Implications stemming from this crack range from decrypting Wi-Fi, hijacking connections, and injecting content. It’s fair to say, WPA2 is now Considered Harmful. The paper is available here (PDF).

This is a proof-of-concept exploit, and like all headline-making network security stories, it has a name. It’s called KRACK, for Key Reinstallation Attack. The key insight to this exploit is a vulnerability in the handshaking between routers and devices to establish a secure connection.

This is not the first time the researchers behind this exploit have found holes in WPA2. In a paper published by the KRACK researchers at the USENIX Symposium last August (PDF), they showed that the Random Number Generator used in 802.11 is flawed, ill-defined, and insecure. The researchers have also spoken at 33c3 on predicting WPA2 Group Keys.

The practical consequences of a poor definition and implementation of an RNG can be found in consumer hardware. The researchers found that in MediaTek-based routers, the only source of randomness is the current time. Meanwhile Broadcom-based routers do not use the RNG proposed by the 802.11 spec, but instead take the MD5 of the current time in microseconds. The researchers do not mention if the current time is a secret.

So what do we do now?

This has happened before. In 2001, WEP, the Wi-Fi security protocol many security-ignorant people are still running, was cracked in much the same was as KRACK. This quickly led to the development of Aircrack, and in 2003, the Wi-Fi Alliance rolled out WPA and WPA2. Sure, you can still select a deprecated security protocol for your router, but the problem of WEP hacking is as solved as it’s ever going to be.

The early 2000s were a different time when it came to wireless networks, though here in 2017 Wi-Fi permeates every cubic inch of our lives. Everything and everyone has Wi-Fi now. This is going to be a bit bigger than cracking WEP, but it remains possible to patch devices to ensure that this exploit is rendered useless. Install those security updates, people! Of course there will still be millions of unpatched devices in a year’s time, and for those routers, IoT baubles, and other wireless devices, turning on WPA2 will be akin to having no security at all.

That said, this isn’t a world-ending Armageddon in the way the botnet of webcams was. You will only be vulnerable if an attacker is within range of your router, and you will still be secure if you’re accessing secure websites. However, turning off Wi-Fi on your phone, relying on mobile data, not ignoring HTTPS cert warnings, and plugging into an Ethernet port might not be a bad idea.

Sir, It Appears We’ve Been Jammed!

In a move that would induce ire in Lord Helmet, [Kedar Nimbalkar] has recreated Instructables user spacehun’s version of WiFi jammer that comes with a handful of features certain to frustrate whomever has provoked its wrath.

The jammer is an ESP8266 development board — running some additional custom code — accessed and controlled by a cell phone. From the interface, [Nimbalkar] is able to target a WiFi network and boot all the devices off the network by de-authenticating them. Another method is to flood the airspace with bogus SSIDs to make connecting to a valid network a drawn-out affair.

This kind of signal interruption is almost certainly illegal where you live. It does no permanent damage, but once again raises the existing deauth exploit and SSID loophole. [Nimbalkar]’s purpose in recreating this was for educational purposes and to highlight weaknesses in 802.11 WiFi protocols. The 802.11w standard should alleviate some of our fake deauth woes by using protected frames. Once the device authenticates on a network it will be able to detect fake deauth packets.

We featured a more targeted version of this hack that can be done using a PC — even targeting itself! And more recently there was a version that can target specific devices by jumping on the ACK.

Continue reading “Sir, It Appears We’ve Been Jammed!”

Improving WiFi Throughput With FM Radio

WiFi networking is one of those things that is reasonably simple to use, but has a lot of complex hidden features (dare we say, hacks) that make it work, or work better. For example, consider the Distributed Coordination Function (DCF) specified in the standard. Before a station can send, it has to listen for a certain time period. If the channel is clear, the station sends. If not, it has to delay a random amount of time before trying again. This is a form of Carrier Sense Multiple Access (CSMA) channel management.

Unfortunately, listening time is dead time when–at least potentially–there is no data transmitted on the network. DCF allows you to use various handshaking packets to do virtual carrier detection and ready/clear to send, but these are also less efficient use of bandwidth. There are other optional coordination functions available in the WiFi standard, but they all have their drawbacks.

[Aleksandar Kuzmanovic] at Northwestern University and two of his students have recently published a paper with a new way to coordinate multiple unrelated wireless networks using ubiquitous FM broadcast radio signals called WiFM. Instead of trying to synchronize to the WiFi data channel, this new scheme selects a strong FM radio station that broadcasts Radio Data Service (RDS) data (the data that populates the song titles and other information on modern radios).

Continue reading “Improving WiFi Throughput With FM Radio”

Arduino’s Long-Awaited Improved WiFi Shield

Announced at the 2014 Maker Faire in New York, the latest Arduino WiFi shield is finally available. This shield replaces the old Arduino WiFi shield, while providing a few neat features that will come in very handy for the yet-to-be-developed Internet of Things.

While the WiFi Shield 101 was announced a year ago, the feature set was interesting. The new WiFi shield supports 802.11n, and thanks to a few of Atmel’s crypto chip offerings, this shield is the first official Arduino offering to support SSL.

The new Arduino WiFi Shield 101 features an Atmel ATWINC1500 module for 802.11 b/g/n WiFi connectivity. This module, like a dozen or so other WiFi modules, handles the heavy lifting of the WiFi protocol, including TCP and UDP protocols, leaving the rest of the Arduino free to do the actual work. While the addition of 802.11n  will be increasingly appreciated as these networks become more commonplace, the speed offered by ~n isn’t really applicable; you’re not going to be pushing bits out of an Arduino at 300 Mbps.

Also included on the WiFi shield is an ATECC508A CryptoAuthentication chip. This is perhaps the most interesting improvement over the old Arduino WiFi shield, and allows for greater security for the upcoming Internet of Things. WiFi modules already in the space have their own support for SSL, including TI’s CC3200 series of modules, Particle‘s Internet of Things modules, and some support for the ESP8266.

Inside The Amazon Dash Button

The Amazon Dash Button is a tiny WiFi-enabled device that’s a simple button with a logo on the front. If you get the Tide-branded version, simply press the button and a bottle of laundry detergent will show up at your door in a few days. Get the Huggies-branded version, and a box of diapers will show up. Get the sugar-free Haribo gummi bear-branded version, and horrible evil will be at your doorstep shortly.

[Matt] picked up one of these Dash Buttons for 99 cents, and since a button completely dedicated to buying detergent wasn’t a priority, he decided to tear it apart.

The FCC ID reveals the Amazon Dash Button is a WiFi device, despite rumors of it having a Bluetooth radio. It’s powered by a single AA battery, and [Matt] posted pictures of the entire board.

Since this piece of Amazon electronics is being sold for 99 cents, whatever WiFi radio chip is inside the Dash Button could be used for some very interesting applications. If you have an idea of what chips are being used in [Matt]’s pictures, leave a note in the comments.

How To Directly Program An Inexpensive ESP8266 WiFi Module

The ESP8266 is the answer to “I want something with Wifi.” Surprisingly, there are a number of engineers and hobbyists who have not heard of this chip or have heard of it but don’t really understand what it is. It’s basically the answer to everything IoT to so many engineering problems that have plagued the hobbyist and commercial world alike.

The chip is a processor with integrated RAM, some ROM, and a WiFi radio, and the only external components you will need are 4 capacitors, a crystal and an external flash! It’s CHEAP, like $4/ea cheap! Or $5 if you want it on a nice, convenient carrier board that includes all these components. The power consumption is reasonable (~200mA)1, the range is insane ~300m2 without directional equipment, and a PCB trace antenna and ~4km if you want to be ridiculous.

One place thing that more people need to know about is how to program directly for this chip. Too many times projects use it as a crutch via the AT commands. Read on and find out how to hello world with just this chip.

Continue reading “How To Directly Program An Inexpensive ESP8266 WiFi Module”