FragAttacks

[nagyrobi]

@fvanroie please have a look at the latest Wifi vulnerabilities discussion on Tasmota:
arendst/Tasmota#12104
How deep should we be concerned?

Eg. I'm thinking of this:
How can the adversary construct unencrypted Wi-Fi frames so they are accepted by a vulnerable device? First, certain Wi-Fi devices accept any unencrypted frame even when connected to a protected Wi-Fi network. This means the attacker doesn't have to do anything special! Two of out of four tested home routers were affected by this vulnerability, several internet-of-things devices were affected, and some smartphones were affected.

[fvanroie]

Espressif released an update to ESP-IDF which includes patches for the FragAttacks CVEs. See their Security Advisory.
The fixes have been added to ESP-IDF versions:

• Master (ef127ab9 )
• Release v4.3.1 (46144f70 )
• Release v4.2.2 (60ccb3fe )
• Release v4.1.2 (97c8be71 )
• Release v4.0.4 (7504329e )
• Release v3.3.6 (b403b0db )

At the moment, Arduino core 1.0.6 still uses ESP-IDF 3.3.5. We will update it as soon as a new core become available.

[nagyrobi]

Additionally we should consider configuration options to disable telnet/http (only MQTT-operation).

Also implement some extra security like encryption for MQTT client like SSL/TLS as HA already supports it.

[nagyrobi]

[19:28:06.212][92188/112580 16][22640/24860 9] MSGR: service=stop http
[19:28:06.230][92188/112652 18][22640/24860 9] MSGR: Command 'service' not found => stop http

was this just an idea?

[fvanroie]

It was a quick test to see if/how it could work. I'm OK with implementing it, but not sure about the command structure yet:

service start|stop <name>
<name> start|stop
start|stop <name>
...

[nagyrobi]

A kind of autoexec.bat implementation would be needed to run the commands at boot.

[fvanroie]

How about:

service start telnet
TELN: Telnet console started
service stop telnet
TELN: Closing session from 192.168.0.123
service start http
HTTP: Started @ http://192.168.0.5
service stop http
HTTP: Stopped

Can be tested in master

[nagyrobi]

Works:
publish to hasp/<your plate>/command/service the string stop telnet etc

[nagyrobi]

Not FragAttacks, but still interesting read:
arendst/Tasmota#6767

[fvanroie]

FragAttack has been fixed in arduino-esp32 v2.0.0

Now the platformio framework needs to update too, so we can use it.

[nagyrobi]

Which files should I change?

[fvanroie]

You need to insert that piece into the user_setups\esp32\lanbon_l8.ini

I'm testing this override per 1 evironment, as long as it is not officially released I'll leave the default to the stable core.

[nagyrobi]

Testing this on Lanbon. Generated OTA binary is slightly bigger.

[fvanroie]

In 2.0.0 memory consumption is not optimized yet, but Arduino 2.0.1 promises memory improvements:

• Smaller memory footprint (smaller than even v1.0.6)

I noticed about 10kB less free heap on 2.0.0 but this will hopefully soon be fixed.

[fvanroie]

Updated v0.7.0-dev to Arduino 2.0.2. FragAttack should be fixed using this current version of the framework.