Before the end of this decade, there will be over 40 billion connected IoT devices, double the number that exists today. That’s 40 billion devices communicating, exchanging data - devices that are potentially unpatched and exploitable. And IoT growth will continue despite the risks and challenges it represents to technological infrastructure.
While new technologies represent great new features, they also come with new risks. It is up to us to detect threats and implement strategies to address these risks and close the security gaps that exist thanks to the widespread usage and growth of IoT devices.
ESP-NOW and IoT Feature Richness
We have experienced ease of use in the past. Plug and play devices, now IoT devices that are discoverable without any user interaction, translating into information being shared over the air, sometimes unencrypted.
This is where ESP-NOW enters. Developed by Espressif, ESP-NOW is a proprietary protocol designed for direct device-to-device wireless communication. This protocol, which operates at the data-link layer of the OSI model and relies on Wi-Fi action frames, is provided as an open-source extension module for Espressif’s ESP-IDF SDK. ESP-NOW is compatible with various Espressif SoCs that feature Wi-Fi connectivity, facilitating seamless and efficient communication between devices. It is specifically engineered to offer quick responses, thereby reducing the delays and packet loss that often occur in congested network environments. This makes ESP-NOW an ideal solution for developers looking to enhance connectivity in their IoT applications.
ESP-NOW supports both "one-to-many" and "many-to-many" device control configurations. This flexibility allows a single remote control to pair with multiple smart devices, enabling complex control schemes within a network. Furthermore, ESP-NOW can function as an independent protocol, which is invaluable for device provisioning, debugging, and firmware upgrades.
So, we have a protocol that allows operators to deploy or provision devices by the thousands, at any given point in time. Nozomi Networks’ security research team has analyzed ESP-NOW to identify vulnerabilities in this protocol. To understand potential security implications, the team constructed a proof-of concept replay attack scenario.
Vulnerability Analysis: Replay Attack
Before we introduce the attack implemented, please note that Espressif investigated and successfully patched their software, so these identified vulnerabilities are no longer applicable in newer versions. Below, we walk through the mechanism employed by ESP-NOW to safeguard its communications against replay attacks and the strategy used by Nozomi Networks Labs to bypass it.
Let’s get started…
A replay attack involves the malicious duplication and retransmission of a legitimate data transmission. Attackers intercept valid communications and resend them, deceiving the recipient into treating the replayed message as new. This vulnerability is particularly concerning because it can be exploited to circumvent security systems that lack the capability to detect, and block repeated transmissions.
With ESP-NOW, where messages may control security-sensitive functions such as motion or smoke sensors, the stakes are high. A successful replay attack could render these critical systems useless, potentially leading to severe security breaches. Countermeasures typically involve embedding timestamps or nonce values within messages to verify their uniqueness and timeliness. Such measures ensure that even if messages are intercepted, their retransmission will not compromise the security of the system.
In ESP-NOW, the strategy to thwart replay attacks involves the use of a unique "magic" value within each transmitted message. Every ESP-NOW message includes a "magic" value, which is a 16-bit value generated randomly for each transmission. This technique ensures that each message carries a distinct identifier, enhancing its security against replay attacks.
Then, ESP-NOW nodes utilize a local magic cache to record these values. For each received message, this cache stores pairs consisting of the message type and its corresponding magic value.
During the reception of messages, as outlined at the top of Figure 1, the default reception callback function processes incoming ESP-NOW messages by first checking this cache. If an incoming message's type and magic value already exist in the cache, the message is considered a duplicate and is promptly discarded, preventing further processing. Conversely, if the cache does not contain an entry matching the type and magic of the received message, the latter is accepted for processing, and the cache is updated to include this new pair.
Unfortunately, this protection mechanism in ESP-NOW exhibits several weaknesses. The local cache that each node maintains to store magic values is inherently limited in capacity, meaning that once the cache is full, each new message will overwrite the oldest entry with its type and magic value. Additionally, this cache is not differentiated by message type; it is a single, shared resource for all kinds of messages, whether they are broadcast or unicast, and regardless of whether they are encrypted or in cleartext.
This design flaw introduces a significant security loophole: it is feasible to flood the network with a burst of cleartext, broadcast, and unauthenticated ESP-NOW messages, which can quickly fill and then overwrite the entire cache. Such a strategy allows an attacker to potentially clear the cache of its legitimate entries, thereby creating an opportunity to re-inject previously captured packets.
Let’s have a look at a replay attack attempt, the packet I/O graph depicted in Figure 2 shows bursts of packets injected by the attacker. Given that ESP-NOW is commonly utilized in low bitrate scenarios, such an unusual spike in traffic can be a significant indicator of nefarious activities. Observing such bursts could suggest that a magic cache flood is underway, potentially as a precursor to a replay attack.
The vulnerabilities we exposed by this attack scenario only demonstrate the potential risks but also highlight the importance of enhancing security measures to mitigate such threats effectively.
Within the Nozomi Networks Platform, the Guardian Air wireless sensor can detect replay attacks. As shown in Figure 3, alerts can be raised immediately, giving operators the upper hand in a timely fashion.
Once you click on the alert, further details can be obtained, including a PCAP file with captured data that can be analyzed, as shown in Figure 5. When detected, corrective actions can be taken, preventing operational loss and any potential intrusion or sabotage attempts.
By introducing technologies created to detect weaknesses and threats in the infrastructure, Nozomi Networks can convert the “ease of use” concept into something practical and secure, driving innovation correctly and safely.
結論
Ease of use and feature richness is always the very first thing users experience, yet these factors become a risk as they open the door for potential exploits.
Whether it translates into disabled sensors that can potentially let intruders go undetected, or smoke raising in a facility with nobody noticing on time, the risks of vulnerabilities, like the replay attack in ESP-NOW enabled devices, are way too high and can be reduced significantly by introducing appropriate technologies.
Vantage and Guardian Air, can not only detect attacks while they happen, but also raise flags when devices are unpatched or have known vulnerabilities, presenting this data in a friendly manner through the Vantage UI and in the Nozomi Asset Risk dashboard.
Beyond the legal implications and the critical systems going down, ensuring the continuity of operations in a world where attacker drivers and motivations are no longer financial is of the utmost importance, for that matter, Nozomi Networks has created incredible technologies that can reveal attackers early in their attempts to gain access, and frustrate their intentions right on time.
