Can ESP32 web server be made a secure network?

Awesome, I am going to check your idea out. No, not paranoid, just cautious. I have nothing to hide and would only be linking up occasionally, so I don't see a huge problem. Now the guy in the white van??? I may just have to play with him for the fun of it! lol. Thanks, not bad for an MC!

Terry

P.S. I will report back findings tomorrow.

Well, even better is if the microcontroller logs into the home WiFi and becomes a node on the LAN, as opposed to being its own Wireless Access Point.

Hi @binaryrhyme,

Well, even better is if the microcontroller logs into the home WiFi...

  Sorry, but assuming the 'home network' also connects to Internet, which is true in a vast number of homes, then that is exactly the trap door I am trying to eliminate. There are numerous reports of 'simple, low cost devices', as well as some big brand names with higher priced devices, which have been shown to be a major risk. This group has particularly included security cameras, but all sorts of other stuff has been the same. The ESP32 CAM is more secure than the worst of these examples, which had obvious fixed default passwords, etc, but I have no way of ascertaining whether it is truly secure or not.

  If you have a separate 'home network', with its own hub, and that is completely isolated from the Internet ... then yes, that is a convenient alternative ... but it does require more hardware (expense) and for 'occasional' use applications is probably hard to justify. However, I was reserving it as a fallback if the access point approach was too limited ... e.g. the ESP and laptop needed to be in different parts of the house and the signal from the ESP was too weak to traverse the walls, etc.

Best wishes, Dave

@davee Worry more about your computers, printers, and such if you have your router configured such that they are in the wild on your LAN, methinks.

P.S. The security breaches of IoT devices occurs because they are configured to be accessible from security services and remote display apps. If it is configured to be only used locally, it is as safe as anything else on the LAN

P.S.S. - pretty good vid on the topic: IoT Security Vulnerabilities: Quick fixes and realistic discussion about smart home security - YouTube

Hi @binaryrhyme,

Worry more about your computers, printers, and such if you don't have your router configured such that they are in the wild on your LAN, methinks.

   I tend to disagree ... especially as the ESP CAM is a web server, whose job is to listen for a request. From a settings point of view, I do not allow access to printers or computers from the Internet side of my router, but that is not a complete barrier .. more like a sieve ... and the sneaks have ways of getting through the mesh, looking for vulnerable devices. Furthermore, any device with poor security that can be persuaded to leak your home network login details, immediately opens every other device up to a more aggressive attack.

-------------

P.S. The security breaches of IoT devices occurs because they are configured to be accessible from security services and remote display apps. If it is configured to be only used locally, it is as safe as anything else on the LAN

Sorry, but 'it is as safe ...' bit isn't true ... 

    ... unless your network devices include unsupported or unpatched computers ... e.g Windows versions prior to 10  ...  in which case you are providing a vast selection of attack routes.

It is true the worst examples of vulnerable IoT devices use default passwords and so on, but computers of all sizes, particularly those running software like a web server, are open to 'sneaky' approaches.

...and none of the software I have seen for ESP has any obvious means of 'configuring to be only be used locally'. Of course it will normally have a local net address like 192.168..., but that is translated to a 'real IP' in the router.

e.g. the device may be sent a packet which has been specially formulated to 'crash' it in a controlled way ... this packet has been customised to target a particular bug.

This is why computers running Windows, Linux, including Android, or Apple operating systems are updated on a daily/weekly cycle as new bugs are discovered ... for each bug discovery, it is a race against time between a patch being deployed and the malicious hackers trying to break into systems using the newly discovered hole.

My Ethernet connected printer similarly gets roughly two updates per year ... presumably as bugs are discovered.

My older printers are USB based, and hence immune from IP traffic. I think a lot of older 'large office' printers have been found to be vulnerable and may not be updated, but this is probably less of problem at home. However, home WiFi printers could also be a target.

----------------------------

I also watched the video you recommended ... whilst a lot of what he said is sensible, a sizeable chunk is out of date or wrong.

The worst omission is that he does not mention fraud ... this is a fast growing industry, and sadly one that is affecting the lives of many -- it is not a fictitious 'never happen to me' situation.

For individuals, the most common form of fraud probably involves bank and credit card accounts, which most of us access with computers, tablets or phones. There are also scams involving  impersonation ...people suddenly find they have massive credit card, loan or mortgage debts 'attached' to them that they knew nothing about, as the credit was registered in their name, by someone else who has long since disappeared with the cash.

The danger of an insecure IoT device is commonly not that of misuse of its intended function (e.g. camera) but that it may reveal your network login credentials ... and those are then used to assist targetting PCs etc. which have more valuable information.

-

Of course, a video of your private life might be a target for ransom and blackmail, depending upon your lifestyle.... or it might reveal the house is empty, so available for an old fashioned 'smash and grab' attack ....

---

A second suggestion I disagreed with was that 'home-brewed' code would be safe ... obviously if you write every line of the software for your own device, then any vulnerabilities will be pseudo-unique, and hence less likely to respond to a generic attack. But in practice, most people will adopt standard libraries, etc. for much of the coding, so are likely to share any vulnerability.

In addition, some of the cracking tools specialise in looking for new trap doors in new software.

And as for getting someone to check your code ... sorry but that is non starter ... Companies like Google and Microsoft employ lots of bright people ... yet their products are found to have flaws on a daily basis. Finding vulnerabilities is really hard and really expensive.

-----------------------------

You may feel this risk is small .. that is your prerogative... but the evidence is increasingly pointing the other way ...

This problem has even persuaded the UK government to introduce legislation to ban the sale of IoT devices with poor security ...

https://www.gov.uk/government/news/new-smart-devices-cyber-security-laws-one-step-closer

Whilst I have my doubts about the effectiveness of this legislation, to gain this much attention, it is clearly causing concerns with the cyber security crowd, presumably including the UK government security organisations! There are a lot of people having their bank accounts scammed, etc. at present, and organisations are being ransomed.

Note, I am not saying ESP CAM, or any other device is insecure ... merely that I am not in a position to  check it either way, so I am recommending caution, especially if that caution is cheap and simple.

A few years ago, this risk was miniscule for individuals ... it is much greater now.

Take care and best wishes, Dave

@davee Ok.

As with most things security has many levels and for the determined most can be breached. With the levels of interconnection that most of us have there are many doors by which access could be had if one desired. I am going to modify my usage to be such that the likelihood of an intervention would be almost nil. I can certainly see why it became a college level curriculum necessity. Thank you all for this very interesting discussion. My last reply got lost in the electronic void so here is a short update to the Blu tooth attempt. I need to further impress on everybody that I am challenged but only defeated when I quit. To this end I was not successful in connecting but I have not quit. The device does not show up and I tried my phone and computer. These challenges are what I have a love hate relationship with! It is nice to have some work right out of the gate and yet it is still fun to ferret out the issues until there ultimately is success!

Terry   

@mrclassicman You'll sort it, I have every faith. I'm not familiar with your unit, but if you're having trouble connecting bluetooth with the ESP32, this might help.

#174 Bluetooth BLE on ESP32 works! Tutorial for Arduino IDE - YouTube

@mrclassicman Hi Terry,

  Unfortunately, security is becoming more important.

  I haven't used Bluetooth for much, so I don't how easy it is for video. However, the Access point conversion is simple ... albeit I have one understanding 'Why?' still unanswered ... read on ...

--------

I think the Access Point system in any normal situation will be fine from a security point of view, as any malevolent access must be within a small radius of your house. Furthermore, the handful of people close enough to you, could only try to break into the ESP CAM and laptop involved in the link up ... not any other phones, PCs, etc that might be connected to your home router.

---------------

So, going back to the Access Point scenario I alluded to a couple of messages back, it is simple to implement ... as an experiment I briefly tried it about 8 months ago, and it works roughly the same as when connecting via a router. Range is not massive with the built in PCB antenna of the ESP32, but comfortably more than the 10 feet you mentioned.

Assuming you already have got the CameraWebServer sketch that Bill describes to work, then do a File Save As on the CameraWebServer example as before, giving it an appropriate name.

Then follow the modifications and instructions described on this web site:

https://randomnerdtutorials.com/esp32-cam-access-point-ap-web-server/

Noting:

• The SSID and password in this case refers to the Access Point ... not your home router .. so make sure they are different from your home router details!!
• When you have compiled, linked and downloaded the new program onto the ESP32 CAM, then you need to change your Laptop connection from your home router to that of the ESP32, with the SSID and password details you just typed into the ESP code.
• Then go to your browser, and use the HTTP: address shown in the web site instructions referred to above ... the Serial monitor will probably show HTTP://0.0.0.0, which doesn't work!!

-----------------------

And as for the 'Why?' question I still can't answer...

  Before writing this reply, I wanted to check and remind myself, so i went through the procedure again.  This time I picked a new SSID and password. But although I have loaded umpteen new programs onto the same ESP32 card, it still insists on using the SSID and password from eight months ago! I have even loaded a new copy of Arduino IDE onto a Kubuntu OS (I normally use Ubuntu) running on independent partitions, then recreated the program from scratch. It is downloading the new code each time ... but the SSID and password are still the old ones!

So maybe it is being stored somewhere that is not updated on code download .. or maybe I am missing the obvious.

Either way, choose your new SSID and password with care ... completely different from your home router .... you might be living with them for a while!

--------------------------

Best wishes .. the modifications are very small, so it should only take a few minutes to try Hopefully it will work first time!

Good luck