Nozomi Networks Labs has identified two vulnerabilities in the reference implementation of ESP-NOW, a wireless protocol by Espressif that allows for direct, fast, and low-power control of smart devices on top of existing wireless hardware.
Notably, one of the vulnerabilities discovered could have allowed an attacker to bypass the anti-replay measures implemented by ESP-NOW and retransmit previously captured packets exchanged between two vulnerable ESP-NOW nodes at will. This vulnerability affects even packets protected by the encryption layer and does not require any knowledge of the encryption key. Examples of real-world attack scenarios include the arbitrary deactivation of alarm systems, or the unauthorized opening of automatic entry gates.
Following the disclosure of our findings, Espressif promptly implemented fixes to address these issues in their official GitHub repository, for which we express our gratitude. Asset owners are urged to update the firmware of devices using the vulnerable components at their earliest convenience. For our customers, Nozomi’s Guardian Air wireless sensor has been updated to provide protection against the exploitation of these flaws.
We begin this blog with a high-level introduction to Espressif and the ESP-NOW protocol. We then describe potential real-world attack scenarios that could be facilitated by these vulnerabilities, along with a detailed overview of the flaws themselves and of the affected devices. Finally, we present the official remediations available to address these vulnerabilities.
Research Scope
Espressif Systems is a famous provider of IoT solutions, holding a dominant position in the semiconductor industry. In 2023, the company reported sales of nearly 200 million chips and has shipped over one billion system-on-chips (SoCs) since the introduction of its groundbreaking ESP8266 model in 2014. These figures not only underscore Espressif’s significant influence in the semiconductor market but also highlight its leading role in shaping the IoT and smart device sectors.
Among its innovations, Espressif has developed ESP-NOW, a proprietary protocol designed for direct device-to-device wireless communication. Operating at the data-link layer and utilizing Wi-Fi action frames (Figure 1), this protocol is provided as a partially open-source extension module within their ESP-IDF SDK. ESP-NOW is compatible with various Espressif SoCs that feature Wi-Fi connectivity, enabling seamless and efficient communication between devices. It is specifically engineered to deliver quick responses, thereby minimizing delays and packet losses that commonly occur in congested network environments. This makes ESP-NOW a popular solution for developers aiming to enhance connectivity in their IoT applications.
What Are the Impacts of These Vulnerabilities?
The vulnerability with the largest impact is CVE-2024-42483, which allows replay attacks to be performed against vulnerable ESP-NOW nodes. This could even occur on communications protected by an encryption security layer and without the encryption key.
Depending on the system being targeted, this vulnerability can have profound consequences. For instance, ESP-NOW is used in security systems such as building alarms, allowing them to communicate with motion sensors. In such a scenario, an attacker could exploit this vulnerability to replay a previously intercepted legitimate “OFF” command, thereby disabling a motion sensor at will.
Another common application of ESP-NOW is in the implementation of remote door openers, such as those used for automatic gates or garage doors. In that situation, an attacker could intercept an “OPEN” command and replay it at a later time to open the door and gain unauthorized access to the building.
We want to highlight that, to achieve these attacks, the only precondition required is the capability to sniff the target communication to replay. This capability can be readily achieved with a high-gain Wi-Fi directional antenna, enabling a threat actor to potentially carry out the attack from tens of meters away from the transmitting node.
An additional impact, posed by CVE-2024-42484, is the possibility of inducing Denial-of-Service (DoS) conditions on arbitrary nodes. However, tests conducted on the reference implementation, despite being successful in exploiting the vulnerability per se, did not succeed in recreating the conditions necessary to trigger this effect.
As a result, it is unlikely that this vulnerability poses a significant threat to devices using the reference code. It would only present a risk in rare situations, such as when a manufacturer or asset owner has made modifications to the reference code (e.g., to add new functionalities or alter the device's behavior in specific scenarios).
Vulnerability List and Affected Versions
The following table lists the two vulnerabilities found, ordered by CVSS v3.1 base score.
CVE-2024-42483 affects the ESP-NOW GitHub repository up to commit 0c8bd74456e797520351d72ed85b44a8ddf0ed63 (included).
CVE-2024-42484 affects it up to commit e8748dd33eced44e5f0dd6ad7ba11a39e4ab71d9 (included).
Vulnerability Spotlight
Of the two vulnerabilities we discovered, CVE-2024-42483 is the most perilous, as it could ultimately allow a threat actor to execute replay attacks.
With the specific goal of preventing replay attacks, all ESP-NOW packets include a unique “magic” value, which consists of 16 bits generated randomly for each transmission. ESP-NOW nodes then use a local magic cache, referred to as “g_msg_magic_cache,” which stores a pair comprising the type and the magic value of each received message.
The principle behind this mechanism is simple. Upon receiving each incoming message, the ESP-NOW node checks the contents of the cache. If the message's type and magic value are already present, the message is identified as a duplicate and discarded. If not, the message is accepted, and the processing flow proceeds as usual.
Although this approach appears robust in theory, it has proven to be insufficient in practice due to the following two shortcomings:
- The local cache maintained by each node to store these magic values is limited in capacity. By default, as illustrated in Figure 2, each node's cache contains only 32 slots. These slots are managed in a round-robin manner, meaning that once the cache is full, each new message will overwrite the oldest entry with its type and magic value;
- The local cache is not differentiated by message type; it serves as a single, shared resource for all types of messages, whether they are broadcast or unicast, and regardless of whether they are encrypted or transmitted in cleartext.
As a result, an attacker can flood the network with a burst of cleartext, broadcast, and unauthenticated ESP-NOW messages, which would rapidly fill and subsequently overwrite the entire cache. This strategy enables an attacker to clear the cache of legitimate entries, creating an opportunity to re-inject previously captured packets regardless of their encryption status.
This attack scenario is represented in Figure 3.
Remediations
After these vulnerabilities were reported, Espressif promptly addressed the flaws in the reference implementation of ESP-NOW.
In case an asset owner has direct control on the firmware of their own ESP-equipped devices, they can remediate these vulnerabilities by building new images after updating their local copy of the ESP-NOW GitHub repository to at least commit 4e30db50d541b2909d278ef0db05de1a3d7190ef (the first one including patches for both vulnerabilities).
Alternatively, asset owners are urged to contact the manufacturer of their devices to obtain patched firmware images that fix the aforementioned vulnerabilities.
If, for any reason, asset owners are unable to update their devices, the following mitigations can be implemented to reduce the likelihood of successful exploitation:
- Monitor the wireless channel (e.g., through Guardian Air) in proximity to the receiving vulnerable device;
- Reduce the wireless signal power of the transmitting device to the minimum, to decrease the chances that an adversary may intercept a valid message;
- Periodically verify that the receiving vulnerable device is functioning properly and as expected.
