Go Down

Topic: Regarding ESP deauthers (Read 2780 times) previous topic - next topic


May 25, 2017, 12:30 am Last Edit: May 25, 2017, 12:38 am by pert
There have been multiple threads created today by new users trying to get basic help with making ESP8266 deauthers (AKA "WiFi Jammers") so I thought it would be good to give some information on this topic to the forum regulars and to clarify my opinion.

Earlier this year a GitHub user named spacehuhn published an Arduino sketch for ESP8266 that prevents clients from being able to connect to a network over WiFi. Over time a slew of Youtube videos and instructables have been created about how you can "Make a super illegal WiFi Jammer for only $8!!!" which brought the thing to the attention of a lot of people who had never even heard of Arduino or the ESP8266 before.

It works because the deauthentication frames used to disconnect clients from the network are sent in unencrypted packets. This issue has been fixed by encrypting the management packets in the 802.11w-2009 amendment but new routers still don't have this encryption enabled by default because it breaks compatibility with old devices. This wasn't a new discovery, it just made a known attack a little easier to do.

The problem is spacehuhn made it too easy. I do think it's ok to publish information on this attack and generally I think it's great how Arduino makes complex projects accessible to people without a lot of experience. However, in this case I think there should be a higher barrier to entry. The people who have a legitimate use for this device don't need it to be an Arduino sketch. The experienced people who would use it for evil purposes could already do that long before this was published. So all this does is make it available to people who have no legitimate purpose for it and have not considered the consequences. Even though it has been made so easy, we still have people fairly regularly showing up on the forum asking for help for peoplems they're having when trying to make one of these devices. I actually helped the first person out because their issue was fairly complex and interesting but I felt bad about it later. So my decision is that I won't help people to do this and I will always speak out against it when I see the topic come up here. If they can figure it out on their own or get help elsewhere then there's nothing I can do about that.

I understand that security through obscurity doesn't work. I respect what white hat security researchers and pen testers do. I can even appreciate the intelligence and hard work behind a well done black hat hack (though I certainly don't approve) but this is just a dumb hack that can only be used to annoy and inconvenience people.

If you read the instructions you'll notice you have to use the 2.0.0 version of the esp8266 core, even though the latest release is 2.3.0. The older ESP8266 SDK versions gave access to the low level functions required for this hack, which were later removed because of the potential for abuse. Those functions have legitimate applications too. So this sort of thing hurts us all. We still have access to the 2.0.0 release of the esp8266 core and the old SDK versions but Espressif has tried to restrict this sort of functionality in ESP32 from the very start (from https://www.esp32.com/viewtopic.php?t=586#p2486)
The wifi_send_pkt_freedom() function was removed from the ESP8266 SDK, I believe because of the potential for abuse (jamming by spamming beacon frames, sending large numbers of deauth frames, etc.) I don't believe this policy has changed, sorry.
As igrr (one of the lead developers of the esp8266 core) said :

spacehuhn has also expressed frustration with the fate of his project: https://youtu.be/qcAcQQPRYrk. They even had to shut down the issue tracker on the repository due to all the invalid responses.

Coding Badly

...it just made a known attack a little easier to do.
I have to disagree.  Armed with an Atheros chipset and BackTrack or Aircrack-ng the attack can be made with no programming.

@spacehuhn did lower the cost threshold (a few dollars versus a few hundred dollars).

This wasn't a new discovery...
No doubt.  It's the basis for WEP cracking.  (Which works great against old Verizon / Frontier routers.  Don't ask how I know.)

Go Up