-->
Page 1 of 1

My questions as a newbie

PostPosted: Tue Mar 21, 2017 11:00 pm
by Olivier Galand
Hello

I'm new on the ESP8266.

To be short I started installing monthes ago a home automation in my flat (RJ45 wiring, NAS, centralized TVsat decoder system + hdmi-rj45 converter to broadcast video in the rooms, all this remotely controlled with a logitech harmony remote/hub, all that stuff is locked in a technical room)

Then I found some limits to the harmony system for automation ... so basically i decided to try to replace the remote with my phone (by coding an app and use the network to send command to the harmony hub).
But as I wont use anymore the logitech remote, I need a way to capture IR spread by the hub, and send them to other rooms, I was thinking of using 2 device based on ESP8266 (one near the hub to capture IR and convert in network packets, and another in my bedroom to convert back send IR -this device could also be my mobile phone-) ... an IR repeater through wifi basically.

This is what made me interested in ESP8266, then reading the docs I found this could be usefull for many many other things, so I started to play with it (I have a CP2102 based nodemcu devboard)
I use ESplorer and lua to do dev on the esp.

So far I think I managed to do the basic stuff ... environment install on my dev PC, flashing firmware, writing some little scripts to access GPIO and a few basic electronics design, mainly following the lots of tutorials availables.

So here come a my question (others will follow then ...)

- As a software dev IRL i'm concerned about the security, currently my device for config is configured as AP with static ssid and a static pwd, the idea is to log with the phone, put credential for my home network (ssid/pwd) and validate, then the device will switch to configured mode (station) and (almost) ready to work.
The device also have a manual factory reset to go back in config mode.
For safety I put max connection in AP mode to 1 to be sure the user won't be able to send credential with a peer connected on this network.
BUT the configuration is done through basic HTTP POST request, so the credential will be cleary visible in the traffic ...

This lead to several question :
- any critics on this way of configuring a device (and/or other way to do it more safely) ?
- i have almost any knowledge on wifi ... my naive view is that if I allow only 1 user to be connected to AP during configuration, it will be impossible to sniff the traffic ... does a pwd protected wifi encrypt air traffic and how secure is it ?
- considering my actual way of configuring the device is safe, if a peer steal the device, he will be the happy owner of a ESP containing the credential to access my home network ... is it possible to extract those data from the stolen ESP ? and is there any way of securing this ?
- please share any comments you may have.

And thanks a lot for those who read everything to the end.

Olivier

Re: My questions as a newbie

PostPosted: Thu Mar 23, 2017 5:12 am
by jeffas
If I understand correctly, you are using ESP as a WiFi AP, connecting to it from your smartphone, then sending an HTTP POST to the ESP's website in order to configure the ESP. That configuration includes the credentials for your home WiFi.

1. Don't worry about someone catching the POST and seeing the data. It is travelling over WiFi, which is pretty secure. It was a good idea to limit the WiFi to a single client. I did not think of that for mine! I guess you could also use HTTPS to the ESP. I have not myself set up HTTPS on an ESP so I don't know how easy/difficult that is.

2. The configuration data will need to be stored on the ESP. Otherwise it will be lost on reset. Yes, someone stealing the ESP could read the data and possibly find the credentials. This has been discussed on other topics, notably this one: viewtopic.php?f=160&t=13790&start=4

3. I read to the end. You're welcome!

Re: My questions as a newbie

PostPosted: Thu Mar 23, 2017 11:39 pm
by Olivier Galand
Thanks for your reply.

I also did some research and it seems installing a radius server (my wifi router support it, and i use a syno NAS that have such server in available packages) could add a layer of safety.

https://en.wikipedia.org/wiki/RADIUS

If I understood correctly it allow to define a different wifi password for a given client (ip), it means if the esp device is stole or compromised, we just need to change the pass for that ip.