Security concerns, which risk without OTA?

rin67630
Posts: 139
Joined: Sun Mar 11, 2018 5:13 pm

Security concerns, which risk without OTA?

Postby rin67630 » Fri May 11, 2018 4:50 pm

OK, it's clear that with the ability to change code over the air, the potential risk of being hijacked raises enormously.
But, as long as no OTA code is uploaded and the device is not on USB, will i have to care for security as long as no physical access to the device is given?
Last edited by rin67630 on Fri May 11, 2018 7:43 pm, edited 1 time in total.

User avatar
kolban
Posts: 1683
Joined: Mon Nov 16, 2015 4:43 pm
Location: Texas, USA

Re: Safety concerns, which risk without OTA?

Postby kolban » Fri May 11, 2018 5:17 pm

By safety I think you mean "security". There is always the opportunity for a bug introduced by your code or subtly lurking within the ESP-IDF or hardware that could compromise your ESP32 but that would be true for all hardware and all applications. Someone with physical access to the device is likely to be able to compromise it. For example, if I could get electrical access to it then I could boot it into flash mode and serially push my own application. I don't know if there is a security feature in the ROM bootloader that would prevent re-flashing (a write once capability that would check the ESP32 efuses and, if set, would check the content of flash against a hash to see if it had been tampered with). I am assuming that you are worried about someone maliciously replacing what would appear to be a "product" containing an ESP32 with an identical product that contains unwanted logic.

Later ... found this excellent documentation on secure boot:

http://esp-idf.readthedocs.io/en/latest ... -boot.html
Free book on ESP32 available here: https://leanpub.com/kolban-ESP32

User avatar
fly135
Posts: 606
Joined: Wed Jan 03, 2018 8:33 pm
Location: Orlando, FL

Re: Safety concerns, which risk without OTA?

Postby fly135 » Fri May 11, 2018 6:14 pm

rin67630 wrote:OK, it's clear that with the ability to change code over the air, the potential risk of being hijacked raises enormously.
But, as long as no OTA code is uploaded and the device is not on USB, will i have to care for safety?
You can enable encryption in the bootloader. Any code that you flash will be encrypted, but you only get 3 flashes. After that any new code needs to be OTA. The bootloader will encrypt the code that OTA burns. The encryption key is generated by the ESP32 and unknown to everyone including you. But the method that you use to initiate an OTA could be hijacked, so you need to make sure that's secure.

If you don't have the device doing OTA then it's probably pretty secure. But who knows if there are any backdoors lurking around.

John A

rin67630
Posts: 139
Joined: Sun Mar 11, 2018 5:13 pm

Re: Security concerns, which risk without OTA?

Postby rin67630 » Fri May 11, 2018 7:47 pm

fly135 wrote: If you don't have the device doing OTA then it's probably pretty secure. But who knows if there are any backdoors lurking around.
Yes that was my concern. The device contains the WLAN password unencrypted, can one imagine to retrieve it remotely?
I am only concerned by WLAN/LAN attacks , not by anyone having physical access to the device.
Last edited by rin67630 on Sat May 12, 2018 6:11 am, edited 1 time in total.

User avatar
kolban
Posts: 1683
Joined: Mon Nov 16, 2015 4:43 pm
Location: Texas, USA

Re: Security concerns, which risk without OTA?

Postby kolban » Fri May 11, 2018 11:25 pm

If the ESP32 contains the WiFi password then that will likely be stored in flash. If you discount physical access then there should be no need to encrypt it. If you don't encrypt it, then someone with physical access could dump flash and gain access.

Discounting physical access, then there had better not be an ability to access the clear text password remotely. If we turn the question around and say that there is a mechanism for accessing the clear text password stored in an ESP32 then we are all in deep deep trouble. Obviously, you will need some mechanism to supply the ESP32 with your local password and that would be a weak point if not done properly but once safely stored, it shouldn't be able to "leak out".
Free book on ESP32 available here: https://leanpub.com/kolban-ESP32

Who is online

Users browsing this forum: MicroController and 83 guests