18 Dec WiFi Vulnerabilities on ESP32/ESP8266 IoT Devices
The ESP32 is a series of low-cost, low-power, embedded Wi-Fi and dual-mode Bluetooth chip microcontrollers. ESP32 was designed and developed by Espressif Systems, a Chinese company headquartered in Shanghai, and is manufactured using its 40 nm process by TSMC. It is a successor of the microcontroller ESP8266.
IoT Device Security is a prime concern for any company that employs IoT devices or machines within its operation. Recently, Matheus Garbelini, a prominent security researcher discovered three distinct WiFi vulnerabilities on the popular ESP32/8266 IoT devices.
Zero PMK Installation (CVE-2019-12587)
CVE-2019-12587 was found within the SDKs of ESP32 and ESP8266. This threat allows hackers to hijack the session between the access point and the device by transmitting an EAP-Fail message during the final step when the device is connecting to the AP.
The affected IoT devices update the Pairwise Master Key only when they receive an Extensible Authentication Protocol (EAP) success message. If they receive an Extensible Authentication Protocol (EAP) fail message before the EAP-success, the devices will skip the PMK (Pairwise Master Key) update step and the devices will use a zero PMK which results in a hijacking of the session.
ESP32/ESP8266 EAP Client Crash (CVE-2019-12586)
The vulnerability CVE-2019-12586 was discovered in the SDKs of ESP32 and ESP8266. This vulnerability enables attackers within radio range to cause a denial of service (crash) via a crafted message against connected IoT devices. When the ESP32/ESP8266 wireless client receives an EAP-Success message shortly after initiating the EAP step, it immediately crashes because the device is erroneously attempting to complete the EAP step but does not have a valid Pairwise Master Key transferred and verified.
ESP8266 Beacon Frame Crash (CVE-2019-12588)
CVE-2019-12588 was discovered in Espressif ESP8266 NONOS SDK 3.0 and earlier. This threat exists because the client 802.11 MAC implementation does not accurately verify the RSN AuthKey suite list count in beacon frames, probe responses, and association responses. This shortcoming enables intruders within radio range to crash connected IoT devices via a crafted message.
According to the researcher, there are two conditions in an abnormal beacon frame that can trigger this IoT Device Security issue:
- ESP8266 device in station mode will crash when transmitting crafted 802.11 frames with the field Auth Key Management Suite Count (AKM) in RSN tag with a size too large or incorrect.
- ESP8266 device in station mode will crash when transmitting crafted 802.11 frames with the field Pairwise Cipher Suite Count in RSN tag with a size too large or incorrect.
The following Github repository contains a proof of concept that has been published for the three wireless vulnerabilities in the Espressif IoT devices (ESP32/ESP8266).