WiFi mode on the ESP8266 reverts to AP+STA on each reset of the Star OTTO Light board

[MartyMacGyver]

The Star OTTO Light is initially in WiFi mode AP+STA. This creates an insecure Arduino-Star-Otto-*** network that any random device can connect to. While this is useful during the initial setup (absent a secure serial-only method) it is a major security vulnerability otherwise.

STA-only mode is advised in the Getting Started documentation, and one would expect the updated setting to persist across device resets. Instead, the setting is reverted each time the Star OTTO Light is reset, resulting in a return to AP+STA mode. The WiFi network and password settings are retained, but this important setting is not retained, resulting in an insecure pathway to the device on each reset.

My Star OTTO Light device is using wifilink - 1.0.1 (20170509). It has this ESP8266 firmware security bug out of the box (for unrelated reasons I've yet to flash any software onto the device.)

Edit: A look at the code suggests the problem is in WBServer.ino's initWBServer() function, where WiFi.mode() is set to WIFI_AP_STA:

https://github.com/arduino-org/arduino-firmware-wifilink/blob/07a7263bc339ca952b9cfbd3b4a5be617f1cb6da/ArduinoFirmwareEsp/WBServer.ino#L271

[MartyMacGyver]

Even worse, in conjunction with issues #25 and #29, this means that every time you boot the board an attacker can simply connect unauthenticated to the board, browse to the default ip for the board in AP mode and read the plaintext configuration via http://<defaultip>/config.json

This is entirely unacceptable and unsafe. In fact, given the insecurity of the present web interface I'd suggest disabling it by default and configuring it instead to use a sketch-based method to update the board's credentials and settings.

As for using config.json in SPIFFS for wifi credentials, I don't believe this is a best practice for the ESP8266 when using https://github.com/esp8266/Arduino. The example in https://github.com/esp8266/Arduino/blob/master/libraries/DNSServer/examples/CaptivePortalAdvanced/CaptivePortalAdvanced.ino is more robust, and won't easily leak the credentials.