ESP8266 security question.

can use your router by getting the id/password from other devices that use it.

How does that work? Are we sending the password unencrypted? If so, of what value is a password?

Are we sending the password unencrypted?

ESP uses the same encryption that your router uses.

]can use your router by getting the id/password from other devices that use it.

Not really, you need to specify the ssid & pass, of course the ESP stores the info in the (flash) EEPROM, and it could be retrieved from there if you have access to the device, but the same thing goes for your phone and all other device that may use your router.

my password etc., is NOT in the sketch.

A typical password policy is that a password may be written to a device, but not read back. It is to prevent a temporary breach from becoming a permanent one.

So how is it getting in? Unless a nodemcu saves it to ram somehow. I gave this thing no password yet it connects and reads news. Somewhere I read it reads passwords from others using the device suggesting these are not encrypted when connecting.

This is one explanation of how the password is used to create keys for encryption without the password ever being transmitted to the other party.

So how is it getting in?

You provided the WiFi network login credentials at some time and the ESP8266 connected. These credentials are "remembered" in the device's Flash.

If it upsets you that much, you can "un-remember" the settings:

If you don't provide 'new' credentials, the old ones are used. You can erase these when you upload a sketch if you select 'flash + wifi credentials' under : tools -> erase flash.
This option is not perfect though, it does remove the credentials for use, but similar to overwriting SPIFFS for instance, it simply disables it's 'presence' but does not overwrite the data with with 'null'
It must be possible to programatically retrieve the data or read the data from the flash chip without the use of the ESP it self, but it is a fairly complex thing to do.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.