First and foremost, this speaks to the ubiquity and hacker friendliness of Espressif's chips. Most of their competitors (I'm looking at you, Broadcom), prefer security through obscurity and make it extremely difficult to get access to chips, let alone SDKs. I am certain that similar vulnerability exist in every embedded WiFi chipset out there.

That being said, the status quo is completely untenable. Connectivity has become the norm in the hardware space, and it is built on a shoddy software foundation. Vendor SDKs are often best effort endeavors provided "as is" with no thought given to security or reliability. The results are clear: "the S in IOT stands for security" has become a trope, and connected cameras, locks, washing machines, and many more are getting owned on a weekly basis.

This will change, and whoever cracks this nut will be very successful indeed.

For those unfamiliar with the topic, these two chips are by and far the most common wifi chips for DIY and are also very common in IoT devices. Due to cheap price ($2—$5 depending on the model) and very low barrier to entry technically, these devices are both very popular as well as very wide spread in those two categories.

These chips are the first hits for searches such as "Arduino wifi module", "breadboard wifi", "IoT wifi module", and many, many more as they're the downright easiest way to add wifi to something that doesn't have it out of the box.

I'm not sure how applicable these attack vectors are in the real world, but they affect a very large number of devices for sure.

Well that sucks. I have probably 20 esp8266 chips around the house doing various things (when you can get an MCU for like $2, you find a lot more uses!), but I don't think any of them really need to worry about this aside from the DoS attacks taking them offline. I'll need to maybe look into some alerts when they start going offline, but not much.

I'm not familiar with the Enterprise WPA2 stuff. Is it widely used in high security environments or "enterprise" areas? and is the ability to gain control over a device on those networks a big deal?

Enterprise WPA2 always seemed crazy complex, and the fact that many devices can't even seem to do WPA2 Personal completely correctly, I never had a good feeling about the Enterprise stuff.

This appears to be the relevant thread on the Arduino ESP8266 page: https://github.com/esp8266/Arduino/issues/6016

Looks like it was closed due to "lack of info". I wonder if that caused some bad blood?

Honestly most of the IOT consumer tech infrastructure does security via the "please don't look at me" approach.

Still don't know exactly why my home assistant can discover & control my wifi bulbs...never provided passwords or anything.

The fake beacon frame issue is the key one here - relatively few people are using Enterprise WPA2, but ESP8266 (or compatible - such as the Tuya TYWE3S) chips are in all kinds of random low cost IoT devices. I've got some smart plugs which use them, as well as a few of the dev boards connected up to various sensors, so looks like will have some patching to do...

Yeah, I've caused some of these crashes. The IDF needs a lot of work when it comes to some of the stacks.

I've been trying to bring the Bluetooth stack (which shares a common ancestor with the Android one) closer to the current Android Bluetooth stack, since that's well maintained (ish) and I'm extending it.

ESP8266 is a low-cost Wi-Fi microchip with full TCP/IP stack and microcontroller capability produced by Shanghai-based Chinese manufacturer, Espressif Systems.

ESP32 is a series of low cost, low power system on a chip microcontrollers with integrated Wi-Fi and dual-mode Bluetooth.

some kind of IoT chips? can't tell what the real world impact of this is.

edit: whoa, thanks for context folks! i'm surprised this wasn't obvious from wiki pages.

So is there any way to mitigate these vulnerabilities, or does it require replacing the hardware?

Oh crud, all my lighting runs off these things. I wish more smart controller/switches used powerline networking rather than WiFi.

This is interesting for screwing up badges at Defcon, but I wouldn't lose too much sleep over it. They're neat devices but not really used for anything critical. I'm also not sure they're being used for a lot of consumer devices. If you war drived a major hackerspace you might reset an led light art project.

I'd like to see a writeup how they discovered these weaknesses.

It's fine to say we want everything as secure as possible. But what about the tradeoff between a system being easy to connect/use and making it so difficult to connect that hobbyist users can't get the device to work.

If you are doing mission critical or life-safety related work with $3 devices, you are doing it wrong. Spend a little more and use something else.

In my case, I am monitoring room temperatures in my house with several ESP8266 devices so I want easy-to-connect features. I don't care about security in this application.

Are there any open-source hardware/software ESP clones. Similar to what Arduino did in the micro-controller space?

That's why I keep them in my network only

The branded bug disclosure page should be something about "Basic Cable" or "PortsCenter"

The title of this submission made it sound like those are aeroplane models.