ESP8266 Community Forum

- Fri Aug 14, 2015 11:39 pm #26038 I like embedded digital electronics hardware development and embedded controller applications programming.
After those two activities my expertise and interest declines rapidly.

Building network enabled projects with the esp8266 is now super easy and inexpensive.

My question for the networking experts is: How do we secure our new toys?
The esp8266 apparently is not hardware capable of HTTPS communications. Should they not be used?
I am sure they will be used. Millions if not billions of cost sensitive consumer electronics items will have these or similar devices in them.
Someone once wrote that everything with an electrical connection will be web enabled at some point.
I am starting to believe that statement.

For home use, I am almost ready to buy a dedicated non-internet connected router for my 'intranet of things' projects and call it done.

Any other ideas?

- Tue Aug 18, 2015 10:03 am #26367 I am far from an expert in security, but it was an interest of mine in university and most of my work-life has been creating secure systems. However, working with something as modestly powered as a ESP8266 puts an interesting spin on things.

Honestly, it may be impossible to create a secure project on an ESP8266 in the sense that a determined attacker with widely available resources (ie. a desktop computer with a GPU) couldn't gain access in a couple of days. The modest compute power and especially memory of an ESP8266 puts it at a huge disadvantage. However, that's no reason not to make things as secure as possible.

And coming up with an adhoc security model is not the path to success. Securing the IoT is a big project, but also a worthwhile project. Because of that, there must already be security solutions in place or in the works for microcontroller-based devices.

This is something we should all be looking at more carefully.

- Wed Aug 19, 2015 1:25 am #26436 I think it was this http://www.bunniestudios.com/blog/?page_id=3592 , by Andrew "bunnie" Huang about the ability of microSD cards be an active security risk that got me thinking more about this.

Most of the articles I read about IoT security devolve into throwing their arms up, conceding that IoT is a huge attack surface area, and muttering something about the solution will have to be implemented further upstream.

With over half of all home WiFi routers placed in operation with the default factory passwords not changed, I should not worry so much. IoT will probably make for some ferocious zombie botnets in the future though.

- Wed Aug 19, 2015 11:08 am #26479 A network of ESP8266 in station mode is safe as the network they are connected to. If the network they are connected with is cracked, the attacker can clone the mac of a module and impersonate it.
Or do Man in the Middle attacks and spoof a connection.

The ESP8266 is even itself an interesting attack vector, that can be used to make many kind of attacks or exploit like fishing login data disguising itself as a free hotspot, brute force crack a wpa password, DDoS on a network...