The ESP8266 SoC has fast become a hugely popular platform for developing IoT applications. The reasons for this are obvious: it's affordable, provides wireless connectivity, comes in a small form factor, and includes a fully-featured Tensilica lx106 core onboard powerful enough to run fully-featured embedded operating systems. The manufacturer, Espressif, also provides an SDK, a port of FreeRTOS, and a cloud-backed IOT platform for embedded devices. A new generation of developers are flocking to the ESP8266 and being introduced to C and systems programming in the process. But few realize that beneath the veneer of accessibility lurks a Pandora's box of perils straight out of the 90s... This talk will focus on exploiting memory corruption vulnerabilities for platforms hosted on the ESP8266. We will provide an overview of the Tensilica lx106 core, cover testing and development workflow, and use real bugs to motivate a discussion of internals of multiple platforms including the Espressif IOT Platform based on FreeRTOS and NodeMCU firmware core. This research is based on experience code reviewing, fuzzing, and developing attacks against both vendor SDKs and open-source libraries for this hardware. Attendees will understand the risks facing users of this new class of devices. Pentesters will learn how to review applications built for this hardware platform and determine the impact of bugs they identify. Defensive security practitioners will get an inside look at attacks against software written for the ESP8266.
Joel works as an independent security researcher and has recently focused on security in embedded systems.