WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear

arduino-libraries / WiFiLink-Firmware

Arduino WiFi Link firmware for ESP8266 based boards

MIT License

11 stars 30 forks source link

WiFi setup should use HTTPS and/or serial mode, not via plaintext credentials transmitted in the clear #25

Open MartyMacGyver opened 7 years ago

MartyMacGyver commented 7 years ago

The WiFi setup for the ESP8266 should either be over a secure connection (HTTPS or WPA2) or configurable via serial (for example, via a sketch - a common method for this device).

Currently, private credentials are transmitted completely in the clear over the insecure AP network WiFiLink uses for setup, rendering them vulnerable to interception.

JAndrassy commented 7 years ago

there is a bigger security problem :-). http://#ip address#/config.json

MartyMacGyver commented 7 years ago

For whoever triages this, the results of http://192.168.xx.yy/config.json are {"ssid":"your_ssid_name","password":"your_formerly_secret_password"} (with the actual data).

That's pretty bad.