Nozomi Networks Labs has identified two vulnerabilities in the reference implementation of ESP-NOW, a wireless protocol by Espressif that allows for direct, fast, and low-power control of smart devices on top of existing wireless hardware.
Notably, one of the vulnerabilities discovered could have allowed an attacker to bypass the anti-replay measures implemented by ESP-NOW and retransmit previously captured packets exchanged between two vulnerable ESP-NOW nodes at will. This vulnerability affects even packets protected by the encryption layer and does not require any knowledge of the encryption key. Examples of real-world attack scenarios include the arbitrary deactivation of alarm systems, or the unauthorized opening of automatic entry gates.
Following the disclosure of our findings, Espressif promptly implemented fixes to address these issues in their official GitHub repository, for which we express our gratitude. Asset owners are urged to update the firmware of devices using the vulnerable components at their earliest convenience. For our customers, Nozomi’s Guardian Air wireless sensor has been updated to provide protection against the exploitation of these flaws...read more!