On September 3, 2019, the ASSET Research Group published their discovery of three security vulnerabilities in the Wi-Fi protocol code used in the popular ESP32 and ESP8266 chipsets from Espressif, specifically relating to the extensible authentication protocol (EAP). The following situation analysis was conducted by the Ayla Networks Research & Development team, including an advisory to customers. It should be noted current Ayla customers will NOT be vulnerable to this exploit.
Details of the three vulnerabilities can be found here, but briefly, they are as follows:
- CVE-2019-12588 enables an attacker to reset any ESP8266 Wi-Fi device, by sending it a malformed beacon frame
- CVE-2019-12586 enables an attacker to reset an ESP32 or ESP8266 Wi-Fi device connected to an enterprise Wi-Fi network configured with EAP security
- CVE-2019-12587 enables an attacker to inspect and modify communications with an ESP32 or ESP8266 Wi-Fi device connected to an enterprise Wi-Fi network configured with EAP security.
These vulnerabilities do not require an attacker to have any knowledge of the Wi-Fi network credentials to exploit them.
What IoT Devices May be Vulnerable?
All IoT devices based on the ESP8266 chipset are vulnerable to CVE-2019-12588. In addition, IoT devices that are configured for WPA-Enterprise Wi-Fi security, are vulnerable to CVE-2019-12586 and CVE-2019-12587. That includes many common smart home devices and domestic appliances including plugs, switches, locks, coffee brewers, thermostats and cameras as well as commercial connected equipment such as HVAC systems.
At this point no ESP32 or ESP8266-based IoT devices configured to use WPA2-Personal security are vulnerable to CVE-2019-12586 and CVE-2019-12587. The EAP authentication method is only used to connect to WPA-Enterprise networks.
How Serious are These Vulnerabilities?
Device manufacturers should understand that the nature of these flaws is serious, and if exploited can result in Denial of service (DoS) attacks. Both CVE-2019-12588 and CVE-2019-12586 allows an attacker on the local Wi-Fi network to reset the IoT device.
CVS-2019-12587 is the most serious of the three vulnerabilities. It enables an attacker on the local Wi-Fi network to bypass the enterprise Wi-Fi security, and inspect or modify all data exchanged between the ESP-based IoT device and other local or remote systems, compromising data privacy.
Most IoT devices will independently secure the data exchanged with their cloud service, so this vulnerability is unlikely to enable an attacker to compromise the data between them. However, if an IoT device provides local control to users connected to the same Wi-Fi network as the device, this may be a cause for concern. If an ESP-based IoT device relies solely on the security of the enterprise Wi-Fi network to control local access or hide its data, an attacker can see all that data, and can potentially take control of the device. Worse, if the local user authenticates with the device by passing credentials that the device then sends to the cloud service, an attacker could access those user credentials.
Note that an "attacker on the local Wi-Fi network" need not be a person in close physical proximity to the location of the Wi-Fi network or IoT device. The "attacker" may be a rogue program or script running on a compromised edge router or laptop, connected to or in close proximity to the Wi-Fi network.
The most serious vulnerability is only present on WPA-Enterprise networks, most often used in commercial environments. Residential Wi-Fi routers typically only support and use WPA2-Personal.
How are Ayla Customers Protected From Risk?
Ayla customers using Ayla’s Integrated Agent for Espressif are fully protected from all three vulnerabilities impacting the ESP32/8266 Wi-Fi chipsets.
All data exchanged between the agent and the Ayla IoT Cloud service is secured end-to-end using TLS, which protects against data inspection, data modification, and man in the middle attacks.
All local communication between the agent and a mobile application built using Ayla’s Mobile SDK is protected using Ayla’s LANConnect protocol. LANConnect independently authenticates the user and encrypts all data, without exposing any sensitive data to other systems on the Wi-Fi network.
Ayla customers using Ayla’s Integrated Agent for Espressif ESP32 are protected from CVE-2019-12586, as WPA-Enterprise is not supported in the latest version of the agent. Any future versions which support enterprise Wi-Fi networks will incorporate the fixes required to protect against this attack.
How Serious are These Vulnerabilities?
We see no immediate concern for customer devices using Ayla Integrated Agent ada-1.3.10 or later. We don't believe a firmware upgrade for already-deployed devices won’t be necessary.
However, Espressif has released a new SDK version which includes fixes for these vulnerabilities, and Ayla will be releasing a new version of the Integrated Agent for that SDK. We recommend any customers currently developing products using the ESP32 should adopt this new agent when it becomes available in mid-September.
More generally, we recommend that customers that need local Wi-Fi access to their products utilize Ayla's LANConnect protocol, rather than relying solely on the security of the Wi-Fi network itself.