Preamble: I have contacted the ESPHome developers with my findings a while ago, they were not interested in changing the lack of authentication by default.
If you’re reading this post its likely you have experimented with smart home and iot stuff, or have at the very least thought about. Its also just as likely you care about the safety of your own home.
Despite that many smart home enthusiasts left their homes exposed to the internet, because authentication is disabled by default in ESPHome.
ESPHome is a platform that DIY enthusiasts often use for their smart home projects. It allows you to use common microcontrollers like ESP32 to make your devices “smart”.
Additionally it makes managing configuration, versioning, controlling and automating devices much easier.
Name | ID |
---|---|
Active Scanning: Scanning IP Blocks | T1595.001 |
Search Open Technical Databases: Digital Certificates | T1596.003 |
Exploit Public-Facing Application | T0819 |
Program Upload | T0845 |
System Firmware | T0857 |
Manipulation of Control | T0831 |
ESPHome users can expose two types of interfaces, a custom made interface by the user to control one device(Web Server) and the admin dashboard where devices and configurations are managed.
You can find ESPHome instances via both passive and active scanning.
Admin dashboard:
User Dashboard:
https://oi.esphome.io/v2/www.js
MQTT:
If you have the infrastructure to monitor the letsencrypt certlog you can look out for these subdomains
Imagine if during a ransomware attack the attackers took control over air conditioning and made the office unbearable by overheating or overcooling it. While it may seem insignificant in the grand scheme of things. In the moment the mental impact can be tremendous, potentially overshadowing the future organizational consequences of the ransomware attack itself during Incident Response
Most attacks you will see are likely opportunistic script kiddies messing with lights, ac temperature and lawn sprinklers.
For the more long term attackers you could see them turning on pool heating or maxing out the ac at night to attack the financials of the org.
This is useless on its own for financially motivated actors, but as mentioned above can be devastating in combination with other attacks.
For the admin dashboard you can add a username and password through the launch command https://esphome.io/guides/cli.html#dashboard-command
For the web server you can add a username and password to the config(The config could is exposed by the dashboard, so make sure its secured first) https://esphome.io/components/web_server.html#configuration-variables
Follow general IoT security practices such as: