Security: Savings are not encrypted

[Wikibear]

I watch a small YouTube movie from 35C3 event. A guy there presented how save china devices are and how it works. He download firmware from china device and get all data encrypted. He say don't trust china devices, cloud and software and it is recommend to use open source. After presentation there was a FAQ and one guy of the audience start a good question... Are passwords and all other things saved encrypted... The presenter can't say anything and this is my point to try it out... After compile and open firmware bin with hex editor all savings will be saved not save encrypted. All passwords should be save in clear text. That is a nightmare if you use a bulb or power plug outside of your rooms and somebody catch this and read out firmware and get access to your hole passwords and settings.

Can anybody confirm this?

https://www.youtube.com/watch?v=DfsPnvf3INg

If the answer is yes... Please encrypt any savings like passwords before save to chip.

Thanks.

[kris969]

I have made a check that confirm this. very simple to check : hexdump -C firmware.bin | grep mypassword and you will find your password not encrypted. on that way, the password should not be the only information to crypt.

[Wikibear]

Thanks for your feedback. As you can see in my picture all wlan settings are not encrypted. You can see SSID, password, IPs etc... Same with admin password.

[mcspr]

Not really sure what can be done here. ESP8266 does not have any type of secure storage or flash reading protection (💭 esp8285 + burning tx rx pins?)

https://github.com/xoseperez/espurna/issues/467 proposed using ESPNow, which could help not storing any auth keys for such outdoors devices.

[Wikibear]

Maybe a way to create a special salt from user input to encrypt passwords. EG: Passwords via SHA256 or any other is better as nothing... Clear text passwords can use for brute force and more...

[AlbertWeterings]

If you build something in the firmware to encrypt security information before saving it, you will also have to decrypt this information to be able to send it to your router for logon. This encrypt en decrypt code in open software in my opinion makes no sense as you can read from the code how to decrypt any security information.

[mcspr]

Turns out folks at MongooseOS already though out that problem by using additional hardware: https://mongoose-os.com/blog/mongoose-esp8266-atecc508-aws/ https://www.microchip.com/wwwproducts/en/ATECC508A https://github.com/mongoose-os-libs/atca

In mongoose os it is used exclusively for TLS client cert key, but datasheet lists many other available uses.

edit: it still leaves the problem of esp8266 board / bootloader / program being trustworthy (it is not). while the i2c channel is obfuscated, esp8266 serial connection is still there to replace code with malicious one. esp32 is better at that having support of secure boot + encryption

[xoseperez]

AFAIK, this is not possible in the ESP8266 without an extra crypt IC. It is for the ESP32 where you even have the option to encrypt the image. Unfortunately, anything we can try here will be easily breakable.