During one of our latest IoT Penetration Tests we tested a device based on the ESP32 SoC by EspressIF. While assessing the activation procedure we faced for the first time a beautiful yet dangerous protocol: SmartConfig.
The idea behind the SmartConfig protocol is to allow an unconfigured IoT device to connect to a WiFi network without requiring a direct connection between the configurator and the device itself – I know, it’s scary.
We have found an interesting and very detailed paper “Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms” describing how the protocol works and which are its security implications.
After the end of the Penetration Test I chose to spend part of my research time offered by Shielder on the SmartConfig protocol, also called ESPTouch in the ESP environment, to write a tool able to intercept WiFi credentials Over-The-Air.
This is how a standard activation procedure works:
“You said they are encoded, you meant encrypted, isn’t it?”
Back in 2013 Texas Instruments started using the SmartConfig protocol on the CC3000 module and George Hawkins, a Particle.io community member, pointed out for the first time how insecure this procol is.
So… yes(!), it’s possible to encrypt the BSSID and the password with AES, but:
In other words no, encryption is not in place and it wouldn’t even be a useful remediation.
The idea behind the tool is to extract WiFi credentials from a passive network sniffing recording.
The attack in a nutshell is:
NotSoSmartConfig.pyscript is executed with the
pcapfile as input;
You can download
NotSoSmartConfig from the dedicated repository on Shielder’s Github profile.
A more secure way to implement the activation procedure for ESP devices would be the SoftAP WiFi provisioning.
This is just another™ episode of the endless fight between security and usability. Choosing the right balance between the two aspects is always hard, but the IoT industry seems to just ignore any security principle in the design phase.
If you are developing an IoT solution consider engaging Shielder for a Penetration Test of your product before reaching the production stage and for a security review during the design phase.
20 April 2020
I’m thezero, Security Researcher and Senior Penetration Tester at Shielder.
In the office I’m the one with the soldering iron.