Authentication Gap in ESPHome

🡠 Homepage

Preamble: I have contacted the ESPHome developers with my findings a while ago, they were not interested in changing the lack of authentication by default.

If you’re reading this post its likely you have experimented with smart home and iot stuff, or have at the very least thought about. Its also just as likely you care about the safety of your own home.

Smart home defense turret

Despite that many smart home enthusiasts left their homes exposed to the internet, because authentication is disabled by default in ESPHome.

ESPHome is a platform that DIY enthusiasts often use for their smart home projects. It allows you to use common microcontrollers like ESP32 to make your devices “smart”.

Additionally it makes managing configuration, versioning, controlling and automating devices much easier.

MITRE ATT&CK

Name ID
Active Scanning: Scanning IP Blocks T1595.001
Search Open Technical Databases: Digital Certificates T1596.003
Exploit Public-Facing Application T0819
Program Upload T0845
System Firmware T0857
Manipulation of Control T0831

Data leaks

ESPHome users can expose two types of interfaces, a custom made interface by the user to control one device(Web Server) and the admin dashboard where devices and configurations are managed.

Web Server leaks

Admin Dashboard leaks

Finding ESPHome instances

You can find ESPHome instances via both passive and active scanning.

Fingerprints(Active)

Admin dashboard:

User Dashboard:

MQTT:

Domains(Passive)

If you have the infrastructure to monitor the letsencrypt certlog you can look out for these subdomains

Abuse potential

This is fine meme

Imagine if during a ransomware attack the attackers took control over air conditioning and made the office unbearable by overheating or overcooling it. While it may seem insignificant in the grand scheme of things. In the moment the mental impact can be tremendous, potentially overshadowing the future organizational consequences of the ransomware attack itself during Incident Response

Low skill

Most attacks you will see are likely opportunistic script kiddies messing with lights, ac temperature and lawn sprinklers.

For the more long term attackers you could see them turning on pool heating or maxing out the ac at night to attack the financials of the org.

High skill

This is useless on its own for financially motivated actors, but as mentioned above can be devastating in combination with other attacks.

Patching

For the admin dashboard you can add a username and password through the launch command https://esphome.io/guides/cli.html#dashboard-command

For the web server you can add a username and password to the config(The config could is exposed by the dashboard, so make sure its secured first) https://esphome.io/components/web_server.html#configuration-variables

Follow general IoT security practices such as: