ESP8266 And ESP32 WiFi Hacked!

[Matheus Garbelini] just came out with three (3!) different WiFi attacks on the popular ESP32/8266 family of chips. He notified Espressif first (thanks!) and they’ve patched around most of the vulnerabilities already, but if you’re running software on any of these chips that’s in a critical environment, you’d better push up new firmware pretty quick.

The first flaw is the simplest, and only effects ESP8266s. While connecting to an access point, the access point sends the ESP8266 an “AKM suite count” field that contains the number of authentication methods that are available for the connection. Because the ESP doesn’t do bounds-checking on this value, a malicious fake access point can send a large number here, probably overflowing a buffer, but definitely crashing the ESP. If you can send an ESP8266 a bogus beacon frame or probe response, you can crash it.

What’s most fun about the beacon frame crasher is that it can be implemented on an ESP8266 as well. Crash-ception! This takes advantage of the ESP’s packet injection mode, which we’ve covered before.

The second and third vulnerabilities exploit bugs in the way the ESP libraries handle the extensible authentication protocol (EAP) which is mostly used in enterprise and higher-security environments. One hack makes the ESP32 or ESP8266 on the EAP-enabled network crash, but the other hack allows for a complete hijacking of the encrypted session.

These EAP hacks are more troubling, and not just because session hijacking is more dangerous than a crash-DOS scenario. The ESP32 codebase has already been patched against them, but the older ESP8266 SDK has not yet. So as of now, if you’re running an ESP8266 on EAP, you’re vulnerable. We have no idea how many ESP8266 devices are out there in EAP networks,¬† but we’d really like to see Espressif patch up this hole anyway.

[Matheus] points out the irony that if you’re using WPA2, you’re actually safer than if you’re unpatched and using the nominally more secure EAP. He also wrote us that if you’re stuck with a bunch of ESP8266s in an EAP environment, you should at least encrypt and sign your data to prevent eavesdropping and/or replay attacks.

Again, because [Matheus] informed Espressif first, most of the bugs are already fixed. It’s even percolated downstream into the Arduino-for-ESP, where it’s just been worked into the latest release a few hours ago. Time for an update. But those crusty old NodeMCU builds that we’ve got running everything in our house?¬† Time for a full recompile.

We’ve always wondered when we’d see the first ESP8266 attacks in the wild, and that day has finally come. Thanks, [Matheus]!

The Amazon Dash Button: A Retrospective

The Internet of Things will revolutionize everything! Manufacturing? Dog walking? Coffee bean refilling? Car driving? Food eating? Put a sensor in it! The marketing makes it pretty clear that there’s no part of our lives which isn’t enhanced with The Internet of Things. Why? Because with a simple sensor and a symphony of corporate hand waving about machine learning an iPhone-style revolution is just around the corner! Enter: Amazon Dash, circa 2014.

The first product in the Dash family was actually a barcode scanning wand which was freely given to Amazon Fresh customers and designed to hang in the kitchen or magnet to the fridge. When the Fresh customer ran out of milk they could scan the carton as it was being thrown away to add it to their cart for reorder. I suspect these devices were fairly expensive, and somewhat too complex to be as frequently used as Amazon wanted (thus the extremely limited launch). Amazon’s goal here was to allow potential customers to order with an absolute minimum of friction so they can buy as much as possible. Remember the “Buy now with 1-Click” button?

That original Dash Wand was eventually upgraded to include a push button activated Alexa (barcode scanner and fridge magnet intact) and is generally available. But Amazon had pinned its hopes on a new beau. Mid 2015 Amazon introduced the Dash Replenishment Service along with a product to be it’s exemplar – the Dash Button. The Dash Button was to be the 1-Click button of the physical world. The barcode-scanning Wands require the user to remember the Wand was nearby, find a barcode, scan it, then remember to go to their cart and order the product. Too many steps, too many places to get off Mr. Bezos’ Wild Ride of Commerce. The Dash Buttons were simple! Press the button, get the labeled product shipped to a preconfigured address. Each button was purchased (for $5, with a $5 coupon) with a particular brand affinity, then configured online to purchase a specific product when pressed. In the marketing materials, happy families put them on washing machines to buy Tide, or in a kitchen cabinet to buy paper towels. Pretty clever, it really is a Buy now with 1-Click button for the physical world.

There were two versions of the Dash button. Both have the same user interface and work in fundamentally the same way. They have a single button (the software can recognize a few click patterns), a single RGB LED (‘natch), and a microphone (no, it didn’t listen to you, but we’ll come back to this). They also had a WiFi radio. Version two (silently released in 2016) added Bluetooth and completely changed the electrical innards, though to no user facing effect.

In February 2019, Amazon stopped selling the Dash Buttons. Continue reading “The Amazon Dash Button: A Retrospective”

This WiFi Spoofing Syringe Is For External Use Only

A browse through his collected works will tell you that [El Kentaro] loves to build electronics into interesting enclosures, so when he realized there’s enough room inside a 150 ml plastic syringe to mount an ESP8266, a battery, and a copious amount of RGB LEDs, the “Packet Injector” was the inescapable result.

Granted, the current incarnation of this device doesn’t literally inject packets. But [El Kentaro] wasn’t actually looking to do anything malicious, either. The Injector is intended to be a fun gag for him to bring along to the various hacker cons he finds himself at, like his DEAUTH “bling” necklace we saw at DEF CON 26, so having any practical function is really more icing on the cake than a strict requirement.

In the end, the code he came up with for the Adafruit Feather HUZZAH that uses the FakeBeaconESP8266 library to push out fictitious networks on demand. This is a trick we’ve seen used in the past, and makes for a relatively harmless prank as long as you’re not pumping out any particularly unpleasant SSIDs. In this case, [El Kentaro] punctuates his technicolor resplendency with beacons pronouncing “The WiFi Doctor is Here.”

But the real hack here is how [El Kentaro] controls the device. Everything is contained within the syringe chamber, and he uses a MPL3115A2 I2C barometric pressure sensor to detect when it’s being compressed. If the sensor reads a pressure high enough over the established baseline, the NeoPixel Ring fires up and the fake beacon frames start going out. Ease up on the plunger, and the code detects the drop in pressure and turns everything back off.

If this build has piqued your interest, [El Kentaro] gave a fascinating talk about his hardware design philosophy during the WOPR Summit that included how he designed and built some of his “greatest hits”; including a Raspberry Pi Zero enclosure that was, regrettably, not limited to external use.

Boost Your WiFi Range With Cookware

WiFi was the killer technology that made home networking easy. No more messing around with hubs and cables and drilling holes in walls, simply turn the devices on and hit connect. Over time the speed and range has increased, but those with larger houses or granny flats out back have suffered. There are tricks to boost range however, and some of them involve cookware.

The clever hack here is to use a metal strainer as a parabolic reflector, to capture signals and focus them onto the PCB antenna in a USB WiFi dongle. The strainer is drilled out, and a USB extension cable has its female end glued into the base. This allows the dongle to be positioned inside the strainer. For best results, the dongle should be positioned so that its antenna elements are sitting at the focal point of the parabola; this can be determined through mathematics or simply by experimenting with positions to see what gives the best signal strength.

It’s a design that is quite directional, and should help boost signals as well as block out those from unwanted stations. The build is simple, and can even be tripod mounted which helps with aiming and looks cool to boot.

For many, WiFi antenna hacks are old school, but it’s always good to keep the techniques in mind as you never know when it will come in handy to solve a new problem. Some crazy things are possible with the right gear, too.

Four Years Of Learning ESP8266 Development Went Into This Guide

The ESP8266 is a great processor for a lot of projects needing a small microcontroller and Wi-Fi, all for a reasonable price and in some pretty small form factors. [Simon] used one to build a garage door opener. This project isn’t really about his garage door opener based on a cheap WiFi-enabled chip, though. It’s about the four year process he went through to learn how to develop on these chips, and luckily he wrote a guide that anyone can use so that we don’t make the same mistakes he did.

The guide starts by suggesting which specific products are the easiest to use, and then moves on to some “best practices” for using these devices (with which we can’t argue much), before going through some example code. The most valuable parts of this guide especially for anyone starting out with these chips are the section which details how to get the web server up and running, and the best practices for developing HTML code for the tiny device (hint: develop somewhere else).

[Simon] also makes extensive use of the Chrome developers tools when building the HTML for the ESP. This is a handy trick even outside of ESP8266 development which might be useful for other tasks as well. Even though most of the guide won’t be new to anyone with experience with these boards, there are a few gems within it like this one that might help in other unrelated projects. It’s a good read and goes into a lot of detail about more than just the ESP chips. If you just want to open your garage door, though, you have lots of options.

Torturing An Instrumented Dive Watch, For Science

The Internet is a wild and wooly place where people can spout off about anything with impunity. If you sound like you know what you’re talking about and throw around a few bits of the appropriate jargon, chances are good that somebody out there will believe whatever you’re selling.

Case in point: those that purport that watches rated for 300-meter dives will leak if you wiggle them around too much in the shower. Seems preposterous, but rather than just dismiss the claim, [Kristopher Marciniak] chose to disprove it with a tiny wireless pressure sensor stuffed into a dive watch case. The idea occurred to him when his gaze fell across an ESP-01 module next to a watch on his bench. Figuring the two needed to get together, he ordered a BMP280 pressure sensor board, tiny enough itself to fit anywhere. Teamed up with a small LiPo pack, everything was stuffed into an Invicta dive watch case. A little code was added to log the temperature and pressure and transmit the results over WiFi, and [Kristopher] was off to torture test his setup.

The first interesting result is how exquisitely sensitive the sensor is, and how much a small change in temperature can affect the pressure inside the case. The watch took a simulated dive to 70 meters in a pressure vessel, which only increased the internal pressure marginally, and took a skin-flaying shower with a 2300-PSI (16 MPa) pressure washer, also with minimal impact. The video below shows the results, but the take-home message is that a dive watch that leaks in the shower isn’t much of a dive watch.

Hats off to [Kristopher] for doing the work here. We always love citizen science efforts such as this, whether it’s hardware-free radio astronomy or sampling whale snot with a drone.

Continue reading “Torturing An Instrumented Dive Watch, For Science”

Connecting New York City To The Backbone: Meet NYC’s Mesh Network

Access to fast and affordable internet is a big issue in the USA, even in a major metropolis such as New York City. Amidst a cartel of ISPs who simply will not deliver, a group of NYC inhabitants first took it upon themselves to ease this situation by setting up their own mesh-based internet connections way back in 2013. Now they will be installing a new Supernode to take the installation base far beyond the current 300 buildings serviced.

As a community project, NYC Mesh is run as a non-profit organization, with its community members supporting the effort through donations, along with partnerships with businesses. Its router hardware consists out of off-the-shelf equipment (with a focus on the Ubiquiti NanoStation NSM5) that get flashed with custom firmware containing the mesh routing functionality.

As this article by Vice mentions, NYC Mesh is one of 750 community-led broadband projects in the US. Many of those use more traditional fixed wiring with distribution lines, but NYC Mesh focuses fully on wireless (WiFi) links with wireless mesh networking. This has the obvious benefit that given enough bandwidth on the Supernodes that hook into the Internet exchange points (IXP) and an efficient mesh routing protocol, it’s quick and easy to hook up new clients and expand the network.

The obvious downsides of using WiFi and RF in general is that they are not immune to outside influences, such as weather (rain), RF interference (including from other WiFi stations) and of course fairly limited range if there’s no direct line of sight. In a densely populated city such as NYC this is not much of an issue, with short hops between roof tops.