GithubHelp home page GithubHelp logo

codingabi / arduino-esp32-wifi-easy-and-unsecure Goto Github PK

View Code? Open in Web Editor NEW
1.0 0.0 0.0 104 KB

ESP32 Wifi credentials seems to are stored in an unsecure way.

License: The Unlicense

C++ 100.00%

arduino-esp32-wifi-easy-and-unsecure's Introduction

Arduino-ESP32 Wifi easy and unsecure?

I have used Wifi on ESP32 microcontrollers in the past and liked how easy it is to use. But now I discovered that is seems to be a risk for my Wifi because the Wifi credentials are stored in an unsecure way (testet with arduino-esp32 1.0.6 and 2.0.5).

My concerns are: Everybody how can upload a sketch to an ESP32 can read the previous used Wifi credentials in plain text.

Now I show you how to reproduce my concerns:

Easy

This is a common, easy Arduino sketch to use a Wifi connection on an ESP32:

#include <WiFi.h>

#define WIFIMAXRETRIES 30
#define SSID "myssid"
#define PASSWORD "mySecretPassword1"

void setup() {
  int wifiRetry = 0;

  Serial.begin(115200);

  Serial.println("Connect Wifi with credentials");
  WiFi.begin(SSID,PASSWORD);

  while ((WiFi.status() != WL_CONNECTED) && (wifiRetry <= WIFIMAXRETRIES)) {
    wifiRetry++;
    delay(500);
    Serial.print(".");
  }
  Serial.println();
  if (WiFi.status() == WL_CONNECTED) {
    Serial.print("Successfully connected and ESP got IP ");
    Serial.println(WiFi.localIP());
  } else Serial.println("Connection failed");
}

void loop() {
}

I think many people use Wifi on ESP32 in this or a similar way. After compiling und uploading this sketch to the ESP32 the serial output shows that Wifi is working fine:

Connect Wifi with credentials
.
Successfully connected and ESP got IP 192.168.170.26

Unsecure

Now I overwrite the ESP32 with a complete another sketch, which contains NO Wifi credentials:

#include <WiFi.h>
#define WIFIMAXRETRIES 30

void setup() {
  int wifiRetry = 0;

  Serial.begin(115200);

  Serial.println("Connect without credentials");
  WiFi.begin();

  while ((WiFi.status() != WL_CONNECTED) && (wifiRetry <= WIFIMAXRETRIES)) { // wait while connecting
    wifiRetry++;
    delay(500);
    Serial.print(".");
  }
  Serial.println();
  
  if (WiFi.status() == WL_CONNECTED) {
    Serial.print("Successfully connected and ESP got IP ");
    Serial.println(WiFi.localIP());
  } else Serial.println("Connection failed");
  Serial.print("SSID ");
  Serial.println(WiFi.SSID());
  Serial.print("PSK ");
  Serial.println(WiFi.psk());
}

void loop() {
}

After compiling and uploading the second sketch the serial output shows that Wifi is still working and I can read the Wifi key (=password/psk/preshared-key) in plain text:

Connect without credentials
.
Successfully connected and ESP got IP 192.168.170.26
SSID myssid
PSK mySecretPassword1

Isn't that crazy? It makes no difference whether I power off and on the ESP32 or push the reset button. The Wifi credentials seems to be stored on the ESP32 after the first sketch and can be read by every sketch runs on the same ESP32 => If somebody uploads a new sketch on my ESP32-devices he can read my Wifi credentials.

I fear that most wifimanager-libraries (for example https://github.com/tzapu/WiFiManager at least in version <=2.0.14-beta) has by default the same issue, but the wifimanagers are not the root of the issue.

My workarounds

I found four workarounds that seems to clear the Wifi credentials

  1. Arduino IDE-Option: Erase All Flash Before Sketch Upload: "Enabled"
  2. WiFi.disconnect(true,true) or WiFi.disconnect(false,true)
  3. Clearing Wifi configuration after each connection
  4. Nonpersistent credentials WiFi.persistent(false) (currently my favourite)

1. Erase All Flash Before Sketch Upload: "Enabled"

This is only a workaround when I am uploading a sketch and not for a running sketch, but this can be used to reset your ESP32 before you give the microcontroller to another person. EraseAllFlash

2. Wifi.disconnect(true/false,true)

WiFi.disconnect(true,true) or WiFi.disconnect(false,true) also switch off wifi, which would be a problem for wifi driven projects, but you can use these commands to reset your ESP32 within a sketch before you give the microcontroller to another person.

Code example (WiFi.begin is needed to get WiFi.disconnect working):

WiFi.begin();
WiFi.disconnect(true,true);

3. Clearing Wifi configuration after each connection

This will not disconnect the running wifi connection (WiFi.reconnect() will not work after clearing the Wifi configuration, but this should be no big problem by writing an own function to reconnect)

To clear the Wifi configuration after each connection within a sketch you can use the esp_wifi_set_config command:

#include <esp_wifi.h>
...
wifi_config_t conf;
memset(&conf, 0, sizeof(wifi_config_t));
if(esp_wifi_set_config(WIFI_IF_STA, &conf)){
  log_e("clear config failed!");
}

like in this sketch:

#include <WiFi.h>
#include <esp_wifi.h>

#define WIFIMAXRETRIES 30
#define SSID "myssid"
#define PASSWORD "mySecretPassword1"

void setup() {
  int wifiRetry = 0;

  Serial.begin(115200);

  Serial.println("Connect Wifi with credentials");
  WiFi.begin(SSID,PASSWORD);

  while ((WiFi.status() != WL_CONNECTED) && (wifiRetry <= WIFIMAXRETRIES)) {
    wifiRetry++;
    delay(500);
    Serial.print(".");
  }
  Serial.println();
  
  // Clear Wifi credentials in ESP32 after connection
  wifi_config_t conf;
  memset(&conf, 0, sizeof(wifi_config_t));
  if(esp_wifi_set_config(WIFI_IF_STA, &conf)){
    log_e("clear config failed!");
  }

  if (WiFi.status() == WL_CONNECTED) {
    Serial.print("Successfully connected and ESP got IP ");
    Serial.println(WiFi.localIP());
  } else Serial.println("Connection failed");
}

void loop() {
}

4. Nonpersistent credentials with WiFi.persistent(false)

I got this hint from espressif/arduino-esp32#7420 and this will not disconnect the running wifi connection and WiFi.reconnect() seems to work. It will not delete previously (before WiFi.persistent(false) was used) stored Wifi credentials from ESP32, but prevents the currently used Wifi credentials from beeing stored.

Like in this sketch:

#include <WiFi.h>

#define WIFIMAXRETRIES 30
#define SSID "myssid"
#define PASSWORD "mySecretPassword1"

void setup() {
  int wifiRetry = 0;

  Serial.begin(115200);

  Serial.println("Connect Wifi with nonpersistent credentials");
  WiFi.persistent(false); 
  WiFi.begin(SSID,PASSWORD);
...
}

arduino-esp32-wifi-easy-and-unsecure's People

Contributors

codingabi avatar

Stargazers

Akira-Jang avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.