TESTING THE SECURITY ESP32 INTERNET OF THINGS DEVICES

Abstract

In the paper analysis of current trends in IoT technologies enabled us to identify a segment for which information security assurance may encounter a lack of its level. These are IoT devices based on ESP32 microcontroller, that designed and implemented at home by non-professionals. The physical model of a handmade IoT system that includes device for measuring temperature based on ESP32 (small-sized ESP32-based development board ESP32 devKit V2 produced by Espressif and digital temperature sensor DS18B20), WiFi home network (based on router TL-WR841N) and web interface (based on node-red-dashboard) was proposed and implemented upon laboratory scale. The initial conditions of the experiment included the following: the use of the UDP protocol, authentication and data encryption based on WPA2-PSK specification, attacker skill level sufficient for use Aircrack-ng tools, Airmon-ng, Airodump-ng, Aireplay-ng, Besside-ng, Wireshark. The result of the experiment based on this model to attempt to gain unauthorized access to the transmitted data was successful. Attack scenario was formulated and consist of four stages: 1 – gaining unauthorized access to a network (network card transfers to monitor mode (Airmon-ng), view available access points (Airodump-ng), handshake interception, guessing the password (Besside-ng); 2 – network traffic interception and analysis (Wireshark); 3 – creating fake ESP32 client using the captured data (Arduino) and connect it to the network; 4 – disconnecting original ESP32 from a server (Aircrack-ng). It is shown that the attacker, who has the basic knowledge and skills in working with common wireless network hacking tools and a basic knowledge of ESP32 and ESP32 programming skills can access the system and send fake information to the web interface. To reduce the probability of the proposed scenario it is recommended to use TCP protocol, which is in contrast to UDP ensures data integrity and sender notification of transmission results.