Security Issue: Fallback to unprotected, public Wifi AP if connection fails

[dm5tt]

Firmware: v2105260 Device: TTGO Lora 32

Hi!

I just spotted that my TinyGS started playing Wifi-Accesspoint due to local network maintenance.

It failed to connect to the pre-configured accesspoint so activated its fallback routines. The SSID was not protected by any Password so everybody was able to connect. This is a serve security problem as it for sure can be forced using targeted deauth attacks.

This might be OK during the configuration of the device for an extremely short time span.. but never should happen to a fully configured node.

I was able to

• Update the firmware
• Extract MQTT passwords
• Extract the WGS84 coordinates
• Extracting the accesspoint name (and maybe able to extract the passwords using a specially crafted firmware)

How to reproduce:

1. Fully setup TinyGS node
2. Disable the AP the device is connecting to
3. Wait for the device creating an AP that is having the same name as your TinyGS node
4. Connect and open 192.168.4.1 using your browser

Best Regards, Holger

[tkerby]

On mine, the fallback access point seems to use the same password as I've selected for the admin page