Are Wifi credentials stored in an unsecure way on ESP32?

Question

Are Wifi credentials stored in an unsecure way on ESP32?

codingABI opened this issue 2 years ago · 4 comments

codingABI commented 2 years ago

Board

ESP-WROOM-32 NodeMCU (ESP32 Dev Board)

Device Description

Only a plain ESP-WROOM-32 NodeMCU (ESP32 Dev Board)

Hardware Configuration

Only a plain ESP-WROOM-32 NodeMCU (ESP32 Dev Board)

Version

v2.0.5

IDE Name

Arduino IDE

Operating System

Windows 11

Flash frequency

80 MHz

PSRAM enabled

no

Upload speed

115200

Description

Everybody how can upload a sketch to an ESP32 can read the previous used Wifi credentials in plain text. This makes it very easy for hackers to get my Wifi credentials, if they get USB access to one of my ESP32s.

Sketch

#include <WiFi.h>
#define WIFIMAXRETRIES 30

void setup() {
  int wifiRetry = 0;

  Serial.begin(115200);

  Serial.println("Connect without credentials");
  WiFi.begin();

  while ((WiFi.status() != WL_CONNECTED) && (wifiRetry <= WIFIMAXRETRIES)) { // wait while connecting
    wifiRetry++;
    delay(500);
    Serial.print(".");
  }
  Serial.println();
  
  if (WiFi.status() == WL_CONNECTED) {
    Serial.print("Successfully connected and ESP got IP ");
    Serial.println(WiFi.localIP());
  } else Serial.println("Connection failed");
  Serial.print("SSID ");
  Serial.println(WiFi.SSID());
  Serial.print("PSK ");
  Serial.println(WiFi.psk());
}

void loop() {
}

Debug Message

Connect without credentials
.
Successfully connected and ESP got IP 192.168.170.26
SSID myssid
PSK mySecretPassword1

Other Steps to Reproduce

I prepared a description to reproduce on https://github.com/codingABI/Arduino-ESP32-Wifi-easy-and-unsecure

I have checked existing issues, online documentation and the Troubleshooting Guide

I confirm I have checked existing issues, online documentation and Troubleshooting guide.

Answer 1 · 2022-11-01T13:43:04.000Z

Likely true. If a hacker can break into your home, plug in USB to your module, install the development environment on their laptop, and read out the flash then they can likely find the WiFi credentials in your flash. Or they could reprogram your module with a simple program to print the credentials to the console.

You can turn off autosaving of WiFi credentials. This is what we use:

WiFi.persistent(false);                   //Base library should NOT save SSID/pwd to NVS. This also prevents wifi autostart.
//https://stackoverflow.com/questions/65873683/how-do-you-erase-esp32-wifi-smartconfig-credentials-from-flash
//Namespace "nvs.net80211": "sta.authmode", "sta.ssid", "sta.pswd".

Answer 2 · 2022-11-01T17:42:27.000Z

I tried WiFi.persistent(false); before the line WiFi.begin(SSID,PASSWORD); and the used Wifi credentials could not be read by another sketch uploaded afterwards => That seems to solve my problem. Thank you very much!

I'm just a little surprised that this security issue doesn't show up in the ESP32 tutorials I know of. WiFi.persistent(false); should be much more known. I'm afraid not many ESP32 newbies like me are aware of the problem.

Answer 3 · 2022-11-02T08:33:52.000Z

@codingABI if you want that to be secure, you need to look past Arduino and use ESP-IDF with flash+nvs encryption (you could still have Arduino as component in the IDF project)

Answer 4 · 2022-11-02T18:43:13.000Z

I'll give the ESP-IDF&encryption a try when I get a chance. At the moment WiFi.persistent(false) is an acceptable solution for me. Thank you all.