Possible securiy breach in ESPS.
-
Not sure if you guys watch or follow Kevin Darrah on YouTube but he found a way to clone the flash of the ESP, including wifi settings.
How To Read from ESP32 - CLONE/BACKUP Everything
He promised to post a follow up, with how to decrypt your flash.
-
I do not think it is a security breach, because ESP32 has AES256 encryption for flash data, if enabled.
https://docs.espressif.com/projects/esp-idf/en/latest/esp32/security/flash-encryption.html@alexelite they do not, however, state exactly which variant of AES they use. If they do not generate an initialization vector and are not using some block chaining variant, AES is quite weak.
Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@alexelite they do not, however, state exactly which variant of AES they use. If they do not generate an initialization vector and are not using some block chaining variant, AES is quite weak.
@Anticimex said in Possible securiy breach in ESPS.:
@alexelite they do not, however, state exactly which variant of AES they use. If they do not generate an initialization vector and are not using some block chaining variant, AES is quite weak.
thanks my issue has been fixed.
-
@alexelite they do not, however, state exactly which variant of AES they use. If they do not generate an initialization vector and are not using some block chaining variant, AES is quite weak.
@Anticimex said in Possible securiy breach in ESPS.:
@Anticimex
AES is quite weak.Probably why the NSA/CIA/FBI etc all recommended it! ;)
-
@alexelite they do not, however, state exactly which variant of AES they use. If they do not generate an initialization vector and are not using some block chaining variant, AES is quite weak.
@Anticimex Don't think they use have encryption. It's just not powerful enough for that
-
@Anticimex Don't think they use have encryption. It's just not powerful enough for that
-
@Anticimex said in Possible securiy breach in ESPS.:
@Anticimex
AES is quite weak.Probably why the NSA/CIA/FBI etc all recommended it! ;)
-
@skywatch are you implying they recommend AES without an IV or block chaining enhancement? I don't think so ;)
-
@Anticimex No, I am saying that they already had a way to get AES data so that is why rhey promoted it for use generally. They are always way ahead of what we are allowed to have!
@skywatch that depend on the key size you choose, and how you deploy the implementation (like block chaining and random initialization).
Symmetric ciphers are even quite secure in the quantum world given large enough key sizes.Do you feel secure today? No? Start requiring some signatures and feel better tomorrow ;)
-
@skywatch that depend on the key size you choose, and how you deploy the implementation (like block chaining and random initialization).
Symmetric ciphers are even quite secure in the quantum world given large enough key sizes. -
@Anticimex Surely in a quantum environment a key size is irrelevant?
