-->
Page 1 of 2

ESP8266 Attack Capabilities

PostPosted: Tue Jan 10, 2017 11:47 pm
by Xoyce
I am working on a student project which aims to explore attack capabilities of ESP8266 chip, in other words, how ESP8266 could be used in offensive security, considering that it has full stack WiFi capabilities and can also act like small webserver while in the same time being among the smallest chips with such functionality and also widely available on the market.

Since I am not much of a security expert, could anyone kindly share their ideas on this topic or some resources/code examples that could help?

I have some knowledge of the board itself, how it functions and how it is programmed.

Re: ESP8266 Attack Capabilities

PostPosted: Thu Jan 12, 2017 4:34 am
by martin_g
In general, an ESP8266 has about the same attack capabilities like any other WiFi-enabled device:

- it can passively sniff network traffic (best in open networks like hotspots, limited infos available as soon as the traffic is encrypted with WPA)
- it can act a MITM by pretending to be a legitimate AP/Hotspot/captive portal/web site
- it can actively send rouge messages what mainly results in some kind of DOS attack (DeAuth attack, Fake AP flooding)

What makes the ESP special is the fact, that it is so small, cheap and that it can run on batteries for quite some time. This means, it can be placed anywhere, possibly even in larger quantities. Even, if it is destroyed or unreachable after the attack, this doesn't really care the attacker.

I can think of attacks with an ESP8266 where someone hides one or more small devices somewhere at an observed place (public place, hotel, private home), where they wait for activation (possibly in deep sleep mode on batteries). When activated they may sniff the local network (or some physical sensors), may upload the observed infos via local WiFi. They even may be used to span a local rouge AP (same SSID as the original APs) an try to route some traffic over the ESP as MITM.

Re: ESP8266 Attack Capabilities

PostPosted: Thu Jan 12, 2017 8:51 am
by eduperez
As "martin_g" explained, the main advantage of an ESP is the small size and low price. And other than making bigger headlines in the newspaper, I do not see how that can be of any benefit to someone doing security research.

Re: ESP8266 Attack Capabilities

PostPosted: Thu Jan 12, 2017 9:45 am
by Xoyce
martin_g wrote:In general, an ESP8266 has about the same attack capabilities like any other WiFi-enabled device:

- it can passively sniff network traffic (best in open networks like hotspots, limited infos available as soon as the traffic is encrypted with WPA)
- it can act a MITM by pretending to be a legitimate AP/Hotspot/captive portal/web site
- it can actively send rouge messages what mainly results in some kind of DOS attack (DeAuth attack, Fake AP flooding)

What makes the ESP special is the fact, that it is so small, cheap and that it can run on batteries for quite some time. This means, it can be placed anywhere, possibly even in larger quantities. Even, if it is destroyed or unreachable after the attack, this doesn't really care the attacker.

I can think of attacks with an ESP8266 where someone hides one or more small devices somewhere at an observed place (public place, hotel, private home), where they wait for activation (possibly in deep sleep mode on batteries). When activated they may sniff the local network (or some physical sensors), may upload the observed infos via local WiFi. They even may be used to span a local rouge AP (same SSID as the original APs) an try to route some traffic over the ESP as MITM.


Thanks for clarifying. Indeed, it is similar to any other IOT WiFi enabled hardware, but as you said, it has certain properties that make this board more suitable in some situations.

I would appreciate if someone could elaborate what are limitations in terms of SDK and resources, that would not allow some type of attacks. For instance, newer versions of SDK don't include wifi_send_pkt_freedom() etc. Also, could this board be misused if attacker gains access through network.

eduperez wrote:As "martin_g" explained, the main advantage of an ESP is the small size and low price. And other than making bigger headlines in the newspaper, I do not see how that can be of any benefit to someone doing security research.


As it has been said. ESP does have some nice functionalities like power management, but also has SDK and resource limitations. So, I think there is room for discussion here and I wouldn't so easily claim that there isn't any relevance in researching IOT in security, especially after recent Mirai botnet.