New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

WiFi mode on the ESP8266 reverts to AP+STA on each reset of the Star OTTO Light board #24

Open
MartyMacGyver opened this Issue May 21, 2017 · 1 comment

Comments

Projects
None yet
1 participant
@MartyMacGyver

MartyMacGyver commented May 21, 2017

The Star OTTO Light is initially in WiFi mode AP+STA. This creates an insecure Arduino-Star-Otto-******* network that any random device can connect to. While this is useful during the initial setup (absent a secure serial-only method) it is a major security vulnerability otherwise.

STA-only mode is advised in the Getting Started documentation, and one would expect the updated setting to persist across device resets. Instead, the setting is reverted each time the Star OTTO Light is reset, resulting in a return to AP+STA mode. The WiFi network and password settings are retained, but this important setting is not retained, resulting in an insecure pathway to the device on each reset.

My Star OTTO Light device is using wifilink - 1.0.1 (20170509). It has this ESP8266 firmware security bug out of the box (for unrelated reasons I've yet to flash any software onto the device.)

Edit: A look at the code suggests the problem is in WBServer.ino's initWBServer() function, where WiFi.mode() is set to WIFI_AP_STA:

@MartyMacGyver

This comment has been minimized.

MartyMacGyver commented Jul 4, 2017

Even worse, in conjunction with issues #25 and #29, this means that every time you boot the board an attacker can simply connect unauthenticated to the board, browse to the default ip for the board in AP mode and read the plaintext configuration via http://<defaultip>/config.json

This is entirely unacceptable and unsafe. In fact, given the insecurity of the present web interface I'd suggest disabling it by default and configuring it instead to use a sketch-based method to update the board's credentials and settings.

As for using config.json in SPIFFS for wifi credentials, I don't believe this is a best practice for the ESP8266 when using https://github.com/esp8266/Arduino. The example in https://github.com/esp8266/Arduino/blob/master/libraries/DNSServer/examples/CaptivePortalAdvanced/CaptivePortalAdvanced.ino is more robust, and won't easily leak the credentials.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment