Skip to content
This repository has been archived by the owner. It is now read-only.

WiFi mode on the ESP8266 reverts to AP+STA on each reset of the Star OTTO Light board #24

MartyMacGyver opened this issue May 21, 2017 · 1 comment


Copy link

@MartyMacGyver MartyMacGyver commented May 21, 2017

The Star OTTO Light is initially in WiFi mode AP+STA. This creates an insecure Arduino-Star-Otto-******* network that any random device can connect to. While this is useful during the initial setup (absent a secure serial-only method) it is a major security vulnerability otherwise.

STA-only mode is advised in the Getting Started documentation, and one would expect the updated setting to persist across device resets. Instead, the setting is reverted each time the Star OTTO Light is reset, resulting in a return to AP+STA mode. The WiFi network and password settings are retained, but this important setting is not retained, resulting in an insecure pathway to the device on each reset.

My Star OTTO Light device is using wifilink - 1.0.1 (20170509). It has this ESP8266 firmware security bug out of the box (for unrelated reasons I've yet to flash any software onto the device.)

Edit: A look at the code suggests the problem is in WBServer.ino's initWBServer() function, where WiFi.mode() is set to WIFI_AP_STA:

Copy link

@MartyMacGyver MartyMacGyver commented Jul 4, 2017

Even worse, in conjunction with issues #25 and #29, this means that every time you boot the board an attacker can simply connect unauthenticated to the board, browse to the default ip for the board in AP mode and read the plaintext configuration via http://<defaultip>/config.json

This is entirely unacceptable and unsafe. In fact, given the insecurity of the present web interface I'd suggest disabling it by default and configuring it instead to use a sketch-based method to update the board's credentials and settings.

As for using config.json in SPIFFS for wifi credentials, I don't believe this is a best practice for the ESP8266 when using The example in is more robust, and won't easily leak the credentials.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
1 participant