A (in)Secure-by-Design IoT Protocol: The ESP Touch Protocol and a Case Study Analysis from the Real Market

Abstract

The number of IoT devices designed and marketed in these last years is continuously growing. These smart things are more often managed through the cloud, therefore more and more devices are connected both to the customer's local networks and to the Internet. Among the several network pairing mechanisms designed for the IoT domain, we examined the Smart Config family of protocols, a clever technology that allows an IoT device to be associated with an existing WiFi network by receiving special packets from an already network-paired smartphone. We investigate the threats and the technical details behind the ESP Touch protocol, a Smart Config implementation developed by Espressif Systems for its ESP32/8266 family of chips. Additionally, we present a security analysis of the same protocol implemented by the ITEAD Sonoff smart switches (and also by many other ESP-based devices), that we conducted by reverse-engineering the eWeLink mobile companion application. In conclusion, we describe a vulnerability (published as CVE-2020-12702) we found in the Quick Pairing mode of the eWeLink SDK that leads to a full WiFi credential disclosure during the device pairing process.