Vulnerability of ESP8266 board

I don't know if this question belongs here or in the programming subforum, but I found it to be closest to here...

What are the vulnerabilities of the ESP8266 board that is used in a temperature sensor if someone wants to hack inside my company.

The obvious one is if a bad actor gains physical access to the ESP and downloads the flash memory to extract your WiFi SSID & Password but due to limitations of WEP, WPA & WPA2 encryption a person can discover and crack your Wifi password reasonably easily anyway.

I would not expose ESPs to traffic from the internet.

What is the vulnerability of your code?
Is your code prepared to process malicious data?

Most users are happy if the don't overwrite their buffers themselves while processing valid input. :wink:

Whandall:
I would not expose ESPs to traffic from the internet.

As it is a WiFi device that may be difficult.

If the ESP is a dead-end then hacking will just disable it - with some small inconvenience to the owner and little advantage to the hacker.

However if it provides an easy gateway that hackers can use to get into a larger system .......

This is an interesting example of how newer does not automatically mean better. This question would not have to be asked if an Atmega 328 was being used to collect the temperature data.

...R

Robin2:
As it is a WiFi device that may be difficult.

Absolutely.

A malicious OTA (if enabled) could probably even be scripted by kids. :smiley:

For my sensors that are not within my home I use LoRa to talk back to a local gateway. They send a simple JSON payload ({"D":"L2","N":0,"T":26.13,"P":1020.00,"A":-56.06,"H":46.82,"L":496.00,"V":3.73}) As it is a broadcast protocol it contains no wifi details that could be extracted but the data could be spoofed though (in my case) this will not effect any critical systems.

Also here

Whandall:
A malicious OTA (if enabled) could probably even be scripted by kids. :smiley:

Wouldn't that imply that the intruder already has access to your WiFi? If so, I'd think they could cause more problems with their laptop than by reprogramming your ESP.

Edit
Perhaps not if they could initiate an OTA from the internet. Never mind.